WordPress Directory Traversal Attack

Febna V M
Published on
29 Jun 2018
1 min read

Directory traversal is a HTTP attack that allows an attacker to access restricted files, directories, and commands that reside outside the web server’s root directory.

WordPress versions from 3.0 to 4.8.1 are vulnerable to path traversal or directory traversal when extracting zip files.

This vulnerability occurs during unzip operations in the ZipArchive and PclZip components, allowing attackers to overwrite arbitrary files.

The unzip_file function takes ‘$to’, as an argument which is the target directory into which the files in the zip should be extracted. If a maliciously crafted zip file is extracted with a filename starting with dot dot slash (../) then the file will be extracted into the parent of the ‘$to’ argument’s target directory.

An attacker can place a file in any directory to which the web-server has write permission with a specially crafted filename as mentioned below:

       unzip_file( string $file, string $to )


E.g. A zip entry with a filename of ../../../../../../../../../../tmp/file would place the file contents in the ‘/tmp/file’ directory of the web-server.

Both PHP’s built-in ZipArchive (/wp-admin/includes/file.php:_unzip_file_ziparchive) and the 3rd party PclZip (/wp-admin/includes/file.php:_unzip_file_pclzip) extraction methods are vulnerable to directory traversal when unzipping. Both these functions fail to check whether the target path is within the ‘$to’ target directory.

Impact of WordPress Directory Traversal Attack

An attacker may exploit this vulnerability to upload malicious files to any location where the web server has write permission. An attacker can upload reverse shells, configuration files or even add SSH access if the web server has security misconfigurations.

Ultimately, the attacker may access confidential information or even compromise the entire server.

How to Prevent WordPress Directory Traversal Attack

In order to prevent a directory traversal attack, it is recommended to update WordPress to version 4.8.2 or the latest available version.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment