WordPress is vulnerable to arbitrary file deletion. The vulnerability can be triggered because the application does not check the filename inside the wp_delete_attachment
function in wp-includes/post.php
, allowing an attacker to input a malicious filename string via thumb
parameter to cause arbitrary file deletion. This only works if the attacker has access permission for files and posts that are normally available only to the Author, Editor, and Administrator roles.
packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html
www.securityfocus.com/bid/104569
blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
github.com/johnpbloch/wordpress-core/blob/master/wp-includes/post.php#L5322
github.com/kkarpieszuk/rips_hotfix/releases/tag/0.1
lists.debian.org/debian-lts-announce/2018/07/msg00046.html
wpvulndb.com/vulnerabilities/9100
www.debian.org/security/2018/dsa-4250