WordPress Plugin Vulnerabilities

OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion

Description

The plugin does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.

Proof of Concept

As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard (/wp-admin/index.php), run the below command in the Web Developer console of the web browser. This will delete /wp-content/index.php file ("silence is golden"). You can also do /../../../** or /../../../wp-admin/ or... (assuming you want to destroy the installation).

jQuery.post(ajaxurl,{action:"omgf_ajax_empty_dir",section:"/../../index.php"})

Affects Plugins

Plugin icon
host-webfonts-local
Fixed in 4.5.4

References

CVE
CVE-2021-24639

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
1ada2a96-32aa-4e37-809c-705db6026e0b

Timeline

Publicly Published
2021-08-23 (about 2 years ago)
Added
2021-08-23 (about 2 years ago)
Last Updated
2022-03-07 (about 2 years ago)

Other

Published
Title
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Unauthenticated Arbitrary Post Deletion
Published
2024-02-02
Title
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 4.4.2 - Missing Authorization
Published
2023-09-03
Title
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Published
2021-01-12
Title
WP Quick FrontEnd Editor <= 5.5 - Authenticated Settings Change leading to Stored XSS
Published
2023-12-14
Title
WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS