OMGF < 4.5.12 – Admin+ Arbitrary Folder Deletion via Path Traversal | CVE 2021-25021 | Plugin Vulnerabilities

Description

The plugin does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

Proof of Concept

As admin, put the following payload in the "Fonts Cache Directory" setting of the plugin: ../wp-includes, tick the "Remove settings at Uninstall" setting and uninstall the plugin to delete the wp-includes folder

Affects Plugins

host-webfonts-local

Fixed in 4.5.12

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

José Aguilera

Submitter

José Aguilera

Submitter website

https://jsgm.dev

Verified

Yes

WPVDB ID

92db763c-ca6b-43cf-87ff-c1678cf4ade5

Timeline

Publicly Published

2021-12-01 (about 4 years ago)

Added

2021-12-01 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2022-09-06

Title

BackupBuddy < 8.7.5 - Unauthenticated Arbitrary File Access

Published

2019-01-25

Title

Health Check & Troubleshooting <= 1.2.3 - Authenticated Path Traversal

Published

2022-08-09

Title

WPide < 3.0 - Admin+ Arbitrary File Read

Published

2015-08-28

Title

NextGen Gallery < 2.1.15 - Path Traversal

Published

2021-12-01

Title

CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal