OMGF < 4.5.4 – Subscriber+ Arbitrary File/Folder Deletion | CVE 2021-24639 | Plugin Vulnerabilities

Description

The plugin does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.

Proof of Concept

As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard (/wp-admin/index.php), run the below command in the Web Developer console of the web browser. This will delete /wp-content/index.php file ("silence is golden"). You can also do /../../../** or /../../../wp-admin/ or... (assuming you want to destroy the installation).

jQuery.post(ajaxurl,{action:"omgf_ajax_empty_dir",section:"/../../index.php"})

Affects Plugins

host-webfonts-local

Fixed in 4.5.4

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

1ada2a96-32aa-4e37-809c-705db6026e0b

Timeline

Publicly Published

2021-08-23 (about 4 years ago)

Added

2021-08-23 (about 4 years ago)

Last Updated

2022-03-07 (about 3 years ago)

Other

Published

Title

Published

2022-09-19

Title

Memberpress Downloads < 1.2.6 - Subscriber+ Arbitrary File Upload

Published

2024-05-21

Title

AI ChatBot < 5.3.6 - Missing Authorization via openai_file_upload_callback

Published

2021-09-30

Title

JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Missing Authorization via save_view

Published

2021-03-16

Title

wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion