Description

Your WordPress installation is configured to allow editing of theme and plugin files. This is a security risk as an attacker with access to the WordPress dashboard to is able to inject and execute arbitrary PHP code by editing one of the theme or plugin files. It's recommended to disable editing of theme and plugin files.

Remediation

To disable editing add the following lines to the wp-config.php file: 

define( 'DISALLOW_FILE_EDIT', true ); //disables file editor
define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer

References

Reverse Hardening WordPress Config

Related Vulnerabilities

Struts 2 Config Browser plugin enabled

PHP enable_dl enabled

ASP.NET connection strings stored in plaintext

Web Cache Poisoning via JSONP and UTM_ parameter

Node.js Debugger Unauthorized Access Vulnerability

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration