WordPress Plugin Vulnerabilities

Merge + Minify + Refresh < 1.10.8 - Authenticated Arbitrary File Delete

Description

The plugin relied on the is_admin() check, without checking the user's capabilities, when deleting arbitrary files.

The functionality was also vulnerable to Cross-site Request Forgery (CSRF) allowing attackers to delete arbitrary files by tricking authenticated users into visiting a page they controlled.

In WordPress, if the wp-config.php file is deleted, it triggers the installation process, allowing an attacker to re-install WordPress and become admin.

Proof of Concept

Affects Plugins

Plugin icon
merge-minify-refresh
Fixed in 1.10.8

References

URL
https://wearetradecraft.com/advisories/tc-2020-0002/
URL
https://plugins.trac.wordpress.org/changeset/2234960/merge-minify-refresh

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher
Glyn Wintle (Tradecraft)
Verified
No
WPVDB ID
262b30e2-4fcb-4034-a33f-25dad6993ec1

Timeline

Publicly Published
2020-02-05 (about 6 years ago)
Added
2020-03-09 (about 6 years ago)
Last Updated
2020-03-10 (about 6 years ago)

Other

Published
Title
Published
2025-10-15
Title
Ace User Management <= 2.0.3 - Subscriber+ Authentication Bypass via Password Rest
Published
2014-08-01
Title
Portable phpMyAdmin 1.4.1 - Multiple Script Direct Request Authentication Bypass
Published
2020-04-28
Title
LearnPress < 3.2.6.9 - Authenticated Post Creation and Status Modification
Published
2026-02-12
Title
Login with Salesforce <= 1.0.2 - Unauthenticated Authentication Bypass
Published
2014-08-01
Title
Spam Free Plugin 1.9.2 - IP Blocklist Restriction Bypass