Description

Your WordPress installation is configured to allow editing of theme and plugin files. This is a security risk as an attacker with access to the WordPress dashboard to is able to inject and execute arbitrary PHP code by editing one of the theme or plugin files. It's recommended to disable editing of theme and plugin files.

Remediation

To disable editing add the following lines to the wp-config.php file: 

define( 'DISALLOW_FILE_EDIT', true ); //disables file editor
define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer

References

Reverse Hardening WordPress Config

Related Vulnerabilities

Web Cache Poisoning DoS

Jenkins open user registration

PHP open_basedir is not set

Elasticsearch service accessible

WebDAV directory listing

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration