WordPress Plugin Vulnerabilities

buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion

Description

Type user access: any user registered used in BuddyPress.

$_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
$_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
Code
File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513, 568, 579 Examples:
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenfile' ] );
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenimg' ] );

Proof of Concept

Affects Plugins

Plugin icon
buddypress-xprofile-custom-fields-type
No known fix

References

URL
https://lenonleite.com.br/2018/01/08/13-17-wordpress-plugins-with-over-150000-270000-active-downloads-with-the-same-security-issues/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Submitter
Lenon Leite
Submitter website
https://lenonleite.com.br/
Submitter twitter
https://twitter.com/lenonleite
Verified
No
WPVDB ID
085e873d-de6d-40c6-8726-025b79d10b69

Timeline

Publicly Published
2018-01-04 (about 8 years ago)
Added
2018-04-09 (about 8 years ago)
Last Updated
2020-04-15 (about 6 years ago)

Other

Published
Title
Published
2021-05-26
Title
Gallery From Files <= 1.6.0 - Unauthenticated RCE
Published
2026-03-22
Title
ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More < 2.3.0 - Unauthenticated Limited Remote Code Execution
Published
2024-05-23
Title
Email Log < 2.4.9 - Unauthenticated Hook Injection
Published
2025-09-09
Title
Easy Appointments < 3.12.14.1 - Unauthenticated Arbitrary Shortcode Execution
Published
2024-09-30
Title
Iconize <= 1.2.4 - Authenticated (Admin+) Remote Code Execution