WordPress Plugin Vulnerabilities

CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal

Description

The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

Proof of Concept

As admin, put the following payload in the "Cache directory for analytics.js" setting of the plugin: ../wp-includes, tick the "Remove settings at Uninstall" setting and uninstall the plugin to delete the wp-includes folder

Affects Plugins

Plugin icon
host-analyticsjs-local
Fixed in 4.1.9

References

CVE
CVE-2021-25020

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
https://jsgm.dev
Verified
Yes
WPVDB ID
67398332-b93e-46ae-8904-68419949a124

Timeline

Publicly Published
2021-12-01 (about 2 years ago)
Added
2021-12-01 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2023-11-21
Title
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Published
2016-03-29
Title
Ebook Download < 1.2 - Directory Traversal
Published
2022-10-14
Title
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
Published
2023-01-23
Title
Customer Reviews for WooCommerce < 5.16.0 - Contributor+ LFI
Published
2022-09-19
Title
Contact Form by WPForms < 1.7.5.5 - Admin+ Arbitrary File Access