A flaw has been disclosed by RIPS Technologies which allows logged-in users with Author privileges or higher to delete files from the server.

In WordPress, any user who logs into the site with an Author role or higher can upload media files and edit what’s called metadata for that file (e.g. uploading an image and entering the description for that image). The identified vulnerability occurs when a user enters a relative path to a file disguised as the “thumbnail” of an image. This file would then be deleted when the image is deleted from the media library.

The consequences of this flaw mean that a user could delete the configuration file for a site, which then forces WordPress into triggering the installation process. The user could then enter their own configuration settings, making themselves an admin at which point they have full access to the site.

Wordfence has issued an update to its premium users which will prevent the vulnerability from being exploited, while free users will have to wait around 30 days for the fix. It’s important to remember that this can only happen from users with Author privileges or higher, so don’t be afraid to be cautious when giving out these higher-level accounts.