News Courtesy of theregister.co.uk:
A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking.
Security shortcomings let attackers exploit weaknesses within WordPress’s PHP framework, allowing already registered users without admin privileges to run exploit code, infosec consultancy Secarma has warned.
The hole offers a previously undiscovered way to expose “unserialization” in the platform’s code using a combination of XML external entity (XXE) attacks and server-side request forgery (SSRF).
Ryan’s Take 
The majority of WordPress website administrators shouldn’t be freaking out. Basically, your security has to be pretty lax in order for the sequence of events to take place for a complete system takeover. Any good admin knows to install a firewall application for WordPress. There are several plugins available that are fairly easy to set up. I suggest All in One WP Security & Firewall if you’re looking for a robust solution.
The article does point out that the WordPress team has been aware of the issue since February 2017. I find that very surprising. They’re usually pretty quick to patch any vulnerabilities. Is it a sign that they don’t take this particular problem very seriously? Or would it require a drastic overhaul of code to fix the bug? Maybe it will get some priority now that it is out in the public.
For those of you who are interested in a detailed explanation. A video demonstration of the exploit can be seen here. It’s a rather lengthy video clocking in at almost 48 minutes. I’ve linked to the part directly referencing WordPress. Watching the explanation and steps necessary to perform the exploit certainly has me confused. It’s not idiot-proof and appears to require some extensive knowledge of PHP functionality. Still, I think the author of the exploit was wise to release it. This should force some kind of response from either the PHP team or WordPress.
