Lucene search

K
wpvulndbKrzysztof ZającWPVDB-ID:CF022415-6614-4B95-913B-802186766AE6
HistoryFeb 22, 2022 - 12:00 a.m.

Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

2022-02-2200:00:00
Krzysztof Zając
wpscan.com
14
contact form 7
arbitrary file deletion
csrf checks
wordpress setup
path traversal
security vulnerability

EPSS

0.001

Percentile

32.8%

The plugin does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users. Note: 1.8.3 added capability and CSRF checks, path traversal fully fixed in 1.8.7

PoC

fetch(“/wp-admin/admin-ajax.php?action=acf7_db_edit_scr_file_delete”, {“method”: “post”, “headers”: {‘Content-Type’: ‘application/x-www-form-urlencoded’}, “body”: “fid=1&rid;=1&field;=1&val;=…/…/…/license.txt”})

EPSS

0.001

Percentile

32.8%

Related for WPVDB-ID:CF022415-6614-4B95-913B-802186766AE6