Vulnerability in WordPress CMS Core

RIPS security researchers have disclosed a flaw in the WordPress content management system (CMS) that was first discovered in November 2017. The vulnerability exists within the post editor, a part of the WordPress CMS that is accessible only to users with access that allows them to upload and delete images. If a threat actor gains access to an account with these privileges, they are able to hijack the site by deleting the wp-config.php file and inserting their own file to carry out a variety of malicious activities. The vulnerability impacts all versions of WordPress CMS and there is currently no patch available. The NJCCIC recommends users and administrators of WordPress sites review the RIPS blog on the vulnerability for additional information and a temporary hotfix for WordPress-powered sites.