WordPress Plugin Vulnerabilities
CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal
Description
The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin
Proof of Concept
As admin, put the following payload in the "Cache directory for analytics.js" setting of the plugin: ../wp-includes, tick the "Remove settings at Uninstall" setting and uninstall the plugin to delete the wp-includes folder
Affects Plugins
Fixed in version 4.1.9
References
Classification
Miscellaneous
Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
Verified
Yes
Timeline
Publicly Published
2021-12-01 (about 5 months ago)
Added
2021-12-01 (about 5 months ago)
Last Updated
2022-04-09 (about 1 months ago)