Admin tasks a have low level of access-specificity, DirectInstall especially should be allowed only by super-administrators.
Upgrade to v1.8.6 of the Admin-plugin. The vulnerability is more pertinant to sites with multiple or many users, less so for few or single users.
Certain tasks within the Admin-plugin interface were exposed to lower-level, registered, users. This allows users without the
admin.login permissions to update the newsfeed, check for updates via GPM, process notifications, and reinstall packages. Users without
admin.pages permissions could process Markdown, delete media, or change language. Users without the
admin.super permissions, who can do all of this, could also perform direct installations via uploaded packages.
Users capable of performing low-level POST requests, with authenticated access to the Admin-plugin interface, could execute any of these tasks. Whilst the majority are not critical, especially direct installations would allow remote code execution.
Versions prior to 1.8.6 of the Admin-plugin are affected, discovered in 1.8.5.
Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to make your changes.