"2018/01/24: The WordPress security team estimates the time to fix to be 6 months."
RIPS could have at least waited one more month. It sounds like Wordpress gave their HackerOne extension deadline.
Also, lots of typos and bad wording in the article makes it look even less professional. For instance, if I didn't know the context, the following sentence makes absolutely no sense:
"The value of $_POST[‘thumb’] could hold the, to the WordPress upload directory relative, path of any file, and when the attachement gets deleted, the file will get deleted with it as seen in the first listing."
(I'm personally a fan of a tiered system wherein high-risk bugs have a hard deadline of 3 months or less before public disclosure, and medium/low risk bugs a much longer deadline)
It's one thing to have periodic vulnerabilities in fairly central technologies that have few alternatives, and whose developers take those vulnerabilities seriously.
It's another to consistently choose a technology that has visibly and consistently thrown security to the wind, leaves its users totally vulnerable, and has no reasonable fixes; especially when far, far more secure alternatives exist.
So no, I don't believe any of those are valid equivalencies. WordPress is not the 'right tool' for any job. And PHP itself is also culpable in similar fashion.
Nonsense on stilts. More serious exploits are routinely found in everyday tech. This is not a serious exploit, a stock install of WordPress isn't vulnerable. The idea that WP somehow is especially complacent about security compared to other major software projects is just a trope.
I'm sympathetic to the idea that WP need not be exposed when a site can be delivered with static files. That's a fair argument that I agree with. But no one's advocating abandoning IOS or Windows or Android because if you install a certain app, or if you use a browser or open a certain type of file you run the risk of exploits. To advocate the throwing out the baby with the bathwater over a bug like this suggests you cherry pick your concerns and/or have an axe to grind.
I am not aware of any serious vulnerabilities in an up-to-date WordPress site. Its security practices seem reasonable. Your link shows that most of the vulnerabilities come from plugins, plus WordPress is a big target.
WordPress is simple to set up, simple to use, and has a huge community. In the real world, it is often the best choice.
Except WordPress is almost completely founded on its plugins, so that's a non-trivial consideration. Specifically, if WordPress cannot provide proper abstractions, sandboxing, and protocols for plugins to be secure by default, the issue could be greatly reduced. As-is, its model both encourages such flaws to be included and provides its non-technical users with no viable way to identify which are likely to be vulnerable plugins.
The more time I spend in IT the more I appreciate extreme simplicity. Sure wordpress claims to be simple for the average user, but its always whats under the hood that counts.
I've put my wordpress behind a firewall, in a docker container, and mirror it with wget to my actual webserver, serving the static files. I sleep better at night.
Seems like you wouldn't be able to actually use this vulnerability without a valid nonce, so I don't see how you would trigger this unless you have some sort of malicious plugin also installed on the site . . ?
Not sure why someone would do this, but even without a plugin you can go to General Settings and set New User Default Role to Author. This would give any new accounts the ability to exploit this.
RIPS could have at least waited one more month. It sounds like Wordpress gave their HackerOne extension deadline.
Also, lots of typos and bad wording in the article makes it look even less professional. For instance, if I didn't know the context, the following sentence makes absolutely no sense:
"The value of $_POST[‘thumb’] could hold the, to the WordPress upload directory relative, path of any file, and when the attachement gets deleted, the file will get deleted with it as seen in the first listing."