Advanced Contact form 7 DB < 1.8.7 – Subscriber+ Arbitrary File Deletion | CVE 2021-24905 | Plugin Vulnerabilities

Description

The plugin does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.

Note: 1.8.3 added capability and CSRF checks, path traversal fully fixed in 1.8.7

Proof of Concept

fetch("/wp-admin/admin-ajax.php?action=acf7_db_edit_scr_file_delete", {"method": "post", "headers": {'Content-Type': 'application/x-www-form-urlencoded'}, "body": "fid=1&rid=1&field=1&val=../../../license.txt"})

Affects Plugins

advanced-cf7-db

Fixed in 1.8.7

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Verified

Yes

WPVDB ID

cf022415-6614-4b95-913b-802186766ae6

Timeline

Publicly Published

2022-02-22 (about 3 years ago)

Added

2022-02-22 (about 3 years ago)

Last Updated

2022-04-10 (about 3 years ago)

Other

Published

Title

Published

2019-07-10

Title

WP-GraphQL < 0.3.5 - Improper Access Control

Published

2021-06-04

Title

Social Sharing Plugin - Kiwi 2.1.0 - Unauthenticated Arbitrary WordPress Options Update and Read

Published

2021-05-26

Title

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import

Published

2021-07-05

Title

Filter Gallery < 0.0.7 - Unauthorised AJAX Calls

Published

2024-05-14

Title

Password Protected < 2.6.7 - Missing Authorization to Sensitive Information Exposure