Awesome Support < 6.1.5 – Submitter+ Arbitrary File Deletion | CVE 2023-5355 | Plugin Vulnerabilities

Description

The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server.

Proof of Concept

1. Visit Tickets > Settings > File Upload
2. Ensure "Enable File Upload", "Enable drag-n-drop uploader for ticket form", and "Check this to allow users to delete attachments" are checked, and save the settings.
3. As a ticket submitter, open the form to submit a ticket. Upload an attachment.
4. Remove the attachment, and intercept the request. Replace the file name with `../../../../wp-config.php`.
5. Reload the page to see that the `wp-config.php` file has been deleted.

Affects Plugins

awesome-support

Fixed in 6.1.5

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

d6f7faca-dacf-4455-a837-0404803d0f25

Timeline

Publicly Published

2023-10-16 (about 2 years ago)

Added

2023-10-16 (about 2 years ago)

Last Updated

2023-10-17 (about 2 years ago)

Other

Published

Title

Published

2025-03-11

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.9.9 - Authenticated (Contributor+) Private Post Disclosure in pagelayer_builder_posts_shortcode

Published

2020-10-16

Title

TI WooCommerce Wishlist - Authenticated WP Options Change

Published

2016-12-06

Title

Ultimate Member < 1.3.76 - Unauthenticated Change Passwords

Published

2021-09-20

Title

Multiple WooCommerce Add-Ons - Low Priv Arbitrary Blog Options Update/Access/Deletion & Plugin's Settings Update/Export/Import

Published

2021-12-28

Title

LabTools <= 1.0 - Subscriber+ Arbitrary Publication Deletion