OMGF < 4.5.4 – Subscriber+ Arbitrary File/Folder Deletion | CVE 2021-24639 | Plugin Vulnerabilities

Description

The plugin does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.

Proof of Concept

As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard (/wp-admin/index.php), run the below command in the Web Developer console of the web browser. This will delete /wp-content/index.php file ("silence is golden"). You can also do /../../../** or /../../../wp-admin/ or... (assuming you want to destroy the installation).

jQuery.post(ajaxurl,{action:"omgf_ajax_empty_dir",section:"/../../index.php"})

Affects Plugins

host-webfonts-local

Fixed in 4.5.4

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

1ada2a96-32aa-4e37-809c-705db6026e0b

Timeline

Publicly Published

2021-08-23 (about 4 years ago)

Added

2021-08-23 (about 4 years ago)

Last Updated

2022-03-07 (about 3 years ago)

Other

Published

Title

Published

2024-04-15

Title

Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.3.2 - Sensitive Information Exposure via Log Files

Published

2025-01-16

Title

WP Hotel Booking < 2.1.6 - Missing Authorization

Published

2024-08-26

Title

NitroPack < 1.16.8 - Unauthenticated Arbitrary Shortcode Execution

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Account Change

Published

2025-02-03

Title

B Slider- Gutenberg Slider Block for WP < 1.1.24 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode