It's been almost eight months now that, according to the researchers, the WordPress team has been informed of a flaw in the system that could affect the CMS, which, let's remember, is the most popular content management system. popular on the internet. The researchers used RIPS, a static code analysis tool to automatically detect vulnerabilities in PHP applications, to detect the flaw. The vulnerability affects the core of the WordPress CMS, specifically the PHP functions. This is a very big problem because PHP is one of the most popular and accessible programming packages. In fact, most of the beginners in programming start with PHP.
The vulnerability allows a malicious user to insert malicious code in a WordPress site and makes it possible to delete any file from the installation of WordPress and any other file on the server that only the user of the PHP process has the necessary permissions to delete. Even the following files can be deleted: .htaccess, index.php and wp-config.php. This should not in principle be possible. Faced with such a perilous situation, it is all the more curious that the WordPress team has visibly done nothing. This type of incident seems to be repeated in recent years. Recall that early this year, a flaw in WordPress allowed to put the sites out of service with a simple workstation.
No solution seems to be provided by the WordPress team against this vulnerability which concerns all versions of the famous content manager, even version 4.9.6 which is the current version. However, you need to have a certain level of access to exploit this flaw. This could explain why WordPress teams do not seem to care much about this flaw, which they may consider to be without major risk. However, the researchers explain that if any user could even register a low-level user account on a site and elevate their privileges, they can exploit this vulnerability to compromise a WordPress site.