WordPress Plugin Vulnerabilities

Awesome Support < 6.1.5 - Submitter+ Arbitrary File Deletion

Description

The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server.

Proof of Concept

1. Visit Tickets > Settings > File Upload
2. Ensure "Enable File Upload", "Enable drag-n-drop uploader for ticket form", and "Check this to allow users to delete attachments" are checked, and save the settings.
3. As a ticket submitter, open the form to submit a ticket. Upload an attachment.
4. Remove the attachment, and intercept the request. Replace the file name with `../../../../wp-config.php`.
5. Reload the page to see that the `wp-config.php` file has been deleted.

Affects Plugins

Plugin icon
awesome-support
Fixed in 6.1.5

References

CVE
CVE-2023-5355

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
d6f7faca-dacf-4455-a837-0404803d0f25

Timeline

Publicly Published
2023-10-16 (about 1 months ago)
Added
2023-10-16 (about 1 months ago)
Last Updated
2023-10-17 (about 1 months ago)

Other

Published
Title
Published
2023-09-03
Title
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Published
2021-09-30
Title
JS Job Manager < 1.1.9 - Unauthenticated Arbitrary Plugin Installation/Activation
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion
Published
2021-11-15
Title
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
Published
2021-07-02
Title
Workreap < 2.2.2 - Missing Authorization Checks in Ajax Actions