WordPress Plugin Vulnerabilities

OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal

Description

The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

Proof of Concept

As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the "Remove settings at Uninstall" setting and uninstall the plugin to delete the wp-includes folder

Affects Plugins

Plugin icon
host-webfonts-local
Fixed in 4.5.12

References

CVE
CVE-2021-25021

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
José Aguilera
Submitter
José Aguilera
Submitter website
https://jsgm.dev
Verified
Yes
WPVDB ID
92db763c-ca6b-43cf-87ff-c1678cf4ade5

Timeline

Publicly Published
2021-12-01 (about 2 years ago)
Added
2021-12-01 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2021-08-23
Title
OMGF < 4.5.4 - Unauthenticated Path Traversal in REST API
Published
2023-05-15
Title
Snow Monkey Forms < 5.0.7 - Unauthenticated Path Traversal
Published
2020-03-13
Title
WordPress File Upload < 4.13.0 - Directory Traversal to RCE
Published
2015-09-30
Title
mTheme Unus < 2.3 - Directory Traversal
Published
2021-01-15
Title
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download