Error Log Viewer < 1.1.2 – Arbitrary Text File Deletion via CSRF | CVE 2021-24761 | Plugin Vulnerabilities

Description

The plugin does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.

Proof of Concept

On Web Servers other than Windows, the /wp-content/plugins/error-log-viewer/saved_logs/ folder must exist for the attack to be successful, on Windows ones, there is no need for it

To delete the readme.txt of the plugin: https://example.com/wp-admin/admin.php?page=rrrlgvwr-monitor.php&saved_logs_action=delete&rrrlgvwr_check_del=../readme

Affects Plugins

error-log-viewer

Fixed in 1.1.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

c14e1ba6-fc00-4150-b541-0d6740fee4d2

Timeline

Publicly Published

2021-12-29 (about 2 years ago)

Added

2021-12-29 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Ticket Creation via CSRF

Published

2023-03-16

Title

Bulk Resize Media <= 1.1 - CSRF

Published

2021-08-19

Title

Donate With QRCode <= 1.4.5 - Plugin's Setting Update via CSRF

Published

2023-02-14

Title

Locatoraid Store Locator < 3.9.12 - CSRF

Published

2018-06-07

Title

Add Social Share Buttons for Whatsapp and Viber < 1.1 - CSRF to Settings Change