WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#47276 closed defect (bug) (invalid)

possible vulnerability in the core files of WordPress.

Reported by: dansve Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hello,

My name is Henrik and I would like to provide some information in regards to some recent findings and also request some help on your behalf so that we may find a solution.

Recently several of my clients have reported their WordPress websites being hacked, all in the exact same manner. They have absolutely nothing in contact to each other, their WordPres website have entirely different plugins and themes and are on different versions spanning from 4.8 to 5.1 - this leads me to the idea that there is a vulnerability in the core wordpress files, themes or plugins that wordpress comes installed, because i have found an ABSOLUTELY FRESH wordpress installation, with ONLY the default things installed which was absolutely hacked to shits. I also want to mention they are each on a different servers, but all running cPanel installations with softaculouses etc.

I understand the unlikelihood of there being a core wordpress vulnerability and what severity this would bring but please do not shoot down my theory as I am also a penetration tester and I am almost certain it is a core issue.

Here are some screenshots of how the infections look
https://prnt.sc/norkj6
https://prnt.sc/norkuz
https://prnt.sc/norlop

Please provide me a solution to solving this being my clients are getting hacked left and right and I am absolutely certain it is not their fault, all the servers have mod_sec rules and such - this is a core wordpress vuln.

Attachments (1)

error_log (1) (1.5 MB) - added by dansve 2 years ago.

Download all attachments as: .zip

Change History (6)

#1 @dansve
2 years ago

Please tell me what information I need to provide in order to resolve this, almost all errors logs have been cleared by the attacker but I am certain this is not the first report you receive in regards to this specific case.

@dansve
2 years ago

#2 @ocean90
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed
  • Version 5.1.1 deleted

Hello @dansve, welcome to WordPress Trac!

I'm sorry that you site seems to be hacked. Unfortunately we can't help you with your hacked sites here. Please follow the steps mentioned on https://codex.wordpress.org/FAQ_My_site_was_hacked or try our support forums at https://wordpress.org/support/forums/.

In case you have found a a security vulnerability in WordPress please read https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/.

#3 @dansve
2 years ago

I don't want your help with my hacked websites, I can clean the infection myself - I am telling you there is a vulnerability in the core files of wordpress - install a fresh new wordpress and it would be vulnerable, does that not sound troublesome???

#4 @dansve
2 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

#5 @ocean90
2 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

There are many factors that allow attackers to hack a site. Unless you can provide proof of a security vulnerability in WordPress core we aren't able to help you. Again, if you have found something please follow https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/.

Please do not reopen the ticket, discussion can happen while the ticket is closed as well.

Note: See TracTickets for help on using tickets.