Not fixed security issues that could be exploited
WordPress is on the auto-updates train for everything lately and they do it for “security”. Auto-updates from core is approach and it is same for everything, so let we see what is doing under the hood. There is function update_core and that is the place where magic is happening. WP core is deciding via get_core_checksums what files need to …
WordPress project have put a lot of effort to prevent meddling with _wp_attached_file meta value. Part of this effort was put into wordpress-importer plugin as part of the core, but… Few versions back there was possibility to bypass those restrictions with \ WP “magic”, but there are few more techniques. Eli5 PoC class-wp-import.php method is_valid_meta_key we have the following: and Do you …
Big efforts were put into validation and verification of image uploads in WP as a project. Yet, that isn’t completed task. In the WP core there is function wp_upload_bits which allows to be “uploaded” file with any content with any of the allowed extensions. Beside its widespread usage around eco system there are two places in the core …
It is common knowledge that non binary safe functions in PHP should be avoided e.g. to be replaced from legacy code with binary safe alternatives. What we have in the WP core class-wp-image-editor-imagick and we all know that PHP imagick prefers writeImageFile before writeImage because it is binary safe. What does this mean? This means if WP uses class-wp-image-editor-imagick as default image …
Image cropping in WordPress is sort of unlucky, specially derivation of final image path ( file system or http/s location ), where image will be loaded from the path, but decisions for additional directories creation and final path (no traversal prevention here) are taken from _wp_attached_file. Those issues are subject for deeper observation and debugging which …
WordPress have a lot of serious issues with paths. There were several tries in the past for security and core team to fix arbitrary file delete issues in the core, but bugs (plural) still remain. Why this bug presented here exist? (there are many another use cases in the core) Because core is solving arbitrary …