Can WP plugins access files outside the installation folder?

If I have multiple WP installations in let's say /var/www. Can a plugin be developed to access files outside its own directory?

I want to host multiple installations for different customers in the same chroot. But those customers will have admin access to their instance. Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?

For example, can the WP located at /var/www/wordpress-customer-1 access files located at /var/www/wordpress-customer-2 ?

Thanks!

Topic filesystem php Wordpress

Category Web

1
answered at

Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?

Yes.

If your folders are owned by the same user, run as the same user in Apache/Nginx or have read/write access to each other, then it's possible.

Your installations are sandboxed at the server/host level, not the WP level.If your users have the ability to upload plugins or edit PHP, then they can easily upload a version of the emergency.php targeted at the other installs and reset the admin password. Likewise they could insert a PHP shell, or read the wp-config.php of the other install.

It's also much worse, if one of those sites gets hacked, all of them could be infected. You also have a more difficult time with backups

If you are concerned for security, you should fix this immediately. How you would fix that is server specific and not in the scope of this site. Consider asking on ServerFault

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.