WordPress Plugin Vulnerabilities
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
Description
The plugin does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
Proof of Concept
As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard (/wp-admin/index.php), run the below command in the Web Developer console of the web browser. This will delete /wp-content/index.php file ("silence is golden"). You can also do /../../../** or /../../../wp-admin/ or... (assuming you want to destroy the installation).
jQuery.post(ajaxurl,{action:"omgf_ajax_empty_dir",section:"/../../index.php"}) Affects Plugins
Fixed in version 4.5.4
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-08-23 (about 9 months ago)
Added
2021-08-23 (about 9 months ago)
Last Updated
2022-03-07 (about 2 months ago)