Severe PHP Exploit Threatens WordPress Sites with Remote Code Execution

(but probably not yours…)

Researchers have created a proof-of-concept exploit that would enable bad actors to target a severe vulnerability in the PHP programming language behind several major CMS companies, including WordPress. The vulnerability remains unresolved – more than a year after it was reported.

[Editor note: “Proof of concept” means that they’ve figured out how to do this in a security research lab. As far as we know this exploit has NOT been found “in the wild”. So between that and the required privileges described below, you’re probably safe.]

The researchers at Secarma who uncovered the exploit said it enables bad actors to potentially open up thousands of WordPress sites (and other web applications) to remote code-execution.

“For WordPress, an attacker would need privileges to upload and modify media items to gain sufficient control of the parameter, researchers said.”

Full article:

Posted in Exploit.