WordPress Plugin Vulnerabilities

CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal

Description

The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

Proof of Concept

As admin, put the following payload in the "Cache directory for analytics.js" setting of the plugin: ../wp-includes, tick the "Remove settings at Uninstall" setting and uninstall the plugin to delete the wp-includes folder

Affects Plugins

Plugin icon
host-analyticsjs-local
Fixed in 4.1.9

References

CVE
CVE-2021-25020

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
https://jsgm.dev
Verified
Yes
WPVDB ID
67398332-b93e-46ae-8904-68419949a124

Timeline

Publicly Published
2021-12-01 (about 2 years ago)
Added
2021-12-01 (about 2 years ago)
Last Updated
2022-04-09 (about 1 years ago)

Other

Published
Title
Published
2022-03-01
Title
Folders Disclosure via Outdated jQueryFileTree Library
Published
2014-09-20
Title
W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read
Published
2021-12-14
Title
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
Published
2022-09-05
Title
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
Published
2022-08-29
Title
WPvivid Backup 0.9.76 - Admin+ Arbitrary File Deletion