WordPress Plugin Vulnerabilities

Insert or Embed Articulate Content into WordPress < 4.29991 - Authenticated Arbitrary Folder Deletion and Rename

Description

The lack of CSRF, Authorisation and Path Traversal checks in wp_ajax_del_dir() and wp_ajax_rename_dir() AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also possible, in order to make them perform those malicious actions.

Proof of Concept

Affects Plugins

Plugin icon
insert-or-embed-articulate-content-into-wordpress
Fixed in 4.29991

References

CVE
CVE-2019-15648
URL
https://plugins.trac.wordpress.org/changeset?old=2114846&old_path=insert-or-embed-articulate-content-into-wordpress%2Ftrunk%2Ffunctions.php&new=2115820&new_path=insert-or-embed-articulate-content-into-wordpress%2Ftrunk%2Ffunctions.php

Miscellaneous

Original Researcher
WPScanTeam
Submitter
WPScanTeam
Submitter website
https://wpscan.org
Submitter twitter
_WPScan_
Verified
Yes
WPVDB ID
b2b405ac-88b4-4201-bdc3-9d5842db2ac5

Timeline

Publicly Published
2019-07-02 (about 6 years ago)
Added
2019-07-02 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2019-07-10
Title
File Manager < 5.2 - Multiple Vulnerabilities
Published
2017-05-11
Title
Tracking Code Manager < 1.11.4 - Authenticated XSS, CSRF & DoS
Published
2016-04-17
Title
Kento Post View Counter <= 2.8 - CSRF & multiple XSS
Published
2019-06-15
Title
Dropshix < 4.0.14 - Arbitrary Product Import
Published
2015-07-08
Title
SEO SearchTerms Tagging 2 <= 1.535 - XSS & Authenticated SQL Injection