Pre-Authentication RCE in WordPress Core

patrikg1 pts0 comments

wp2shell: Pre Authentication RCE in WordPress Core

wp2shell

Pre Authentication RCE in WordPress Core

Searchlight Cyber's security research team has discovered a<br>pre-authentication RCE in WordPress Core.<br>The attack has no preconditions and can be exploited by an anonymous user in a stock<br>install of WordPress with no plugins.

It is estimated that over 500 million websites use WordPress. Given the severity of<br>the bug and to give defenders time to patch, we are not releasing technical details<br>at this time. We are, however, releasing a checker so you can determine whether your<br>instance is vulnerable. Check your site directly below.

wp2shell checker

Scan

Versions Affected

not affected<br>6.9.0 - 6.9.4affected, fixed in 6.9.5<br>7.0.0 - 7.0.1affected, fixed in 7.0.2

Mitigation

The best way to protect yourself is to update WordPress immediately. WordPress 7.0.2<br>contains the fix (or 6.9.5 if you are on the 6.9 branch). Until you can update, there<br>are multiple mitigation options:

Install the plugin Disable WP REST API to disable unauthenticated<br>users from using the WordPress API. This is the easiest option but does have a possible<br>low risk of breaking existing functionality.

Use a WAF to block the path /wp-json/batch/v1 and the query parameter<br>rest_route=/batch/v1 (both of these patterns must be blocked to secure<br>your instance).

Drop the following custom plugin into<br>wp-content/plugins/disable-batch-api-for-unauth.php on the filesystem for<br>your WordPress instance via SSH or FTP and enable it from Plugins in<br>the admin panel:<br>get_route() );

if ( '/batch/v1' !== $route || is_user_logged_in() ) {<br>return $result;

return new WP_Error(<br>'rest_batch_authentication_required',<br>'Authentication is required to use the batch API.',<br>array( 'status' => 401 )<br>);

add_filter( 'rest_pre_dispatch', 'wporg_require_authentication_for_rest_batch', -1000, 3 );

Note that these solutions may have impact on legitimate use of the site and should only<br>be considered emergency temporary measures until you can update.

Credits

Discovered and authored by<br>Adam Kues<br>of Searchlight Cyber.

wordpress authentication batch core wp2shell plugins

Related Articles