An immense majority of the web pages that we visit daily are built on the same content manager: WordPress . In his favor has always played the fact of being free, very easy to customize, with many developers designing templates or extensions of all kinds and its great versatility. But there is a detail that seems to escape this idyllic equation: security.

There are numerous cybersecurity holes that WordPress has had throughout history, but the case that concerns us makes all the alarms jump.

And, as denounced by Ripstech , a major vulnerability has been exposing thousands of web pages for six years without anyone releasing a patch to solve the incident. Also, it is not just any security hole: cybercriminals could execute arbitrary code on the site’s server.

“An attacker who gains access to an account, with at least author privileges, on a WordPress site could execute arbitrary PHP code on the underlying server, which would in turn allow remote control of the entire web “, say the researchers.

The error was in the WordPress image management system, which manages the ‘Post Meta’ entries, which are used to store the description, size, creator and other meta information of the loaded images. Apparently, any registered WordPress user could modify the entries associated with an image and set them to arbitrary values.

This is what is known as “path trajectory vulnerability” and implies that the attacker must have previously obtained a registered account in the WordPress blog to attack . That, in some way, reduces the level of threat in many cases.

According to the discoverers of the security hole, code execution could not be executed through this flaw in versions of WordPress 5.0.1 and 4.9.9, since this vulnerability was inadvertently corrected when a patch was introduced to alleviate another another problem that concerns us. But in other versions this incidence still exists since it has never been properly patched.