7.0.4 changelog clarification

  • Resolved nlpro

    (@nlpro)


    6 years, 9 months ago

    This topic’s aim is to clarify the following entry from the 7.0.4 changelog:

    Enhancement: Add mitigation for the WordPress Attachment File Traversal and Deletion vulnerability.

    First read the WordPress Attachment File Traversal and Deletion vulnerability article by Pierluigi Paganini.

    The mitigation mentioned in the 7.0.4 changelog has been implemented as a new setting (enabled by default) in the WordPress Tweaks module and it looks like this:

    Mitigate Attachment [x] Prevent attachment thumbnails
    File Traversal Attack from traversing to other files.

    Disabling this feature is not recommended. This helps mitigate an attack where users with the “author” role or higher could delete any file in your WordPress installation including sensitive files like wp-config.php.

    • This topic was modified 6 years, 9 months ago by nlpro.
Viewing 1 replies (of 1 total)
  • Thread Starter nlpro

    (@nlpro)

    Update:

    Since the WordPress 4.9.7 Security and Maintenance Release fixed the WordPress Attachment File Traversal and Deletion vulnerability the Mitigate Attachment File Traversal Attack setting in the WordPress Tweaks module can safely be disabled.

Viewing 1 replies (of 1 total)
  • The topic ‘7.0.4 changelog clarification’ is closed to new replies.