The plugin does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users. Note: 1.8.3 added capability and CSRF checks, path traversal fully fixed in 1.8.7
fetch(“/wp-admin/admin-ajax.php?action=acf7_db_edit_scr_file_delete”, {“method”: “post”, “headers”: {‘Content-Type’: ‘application/x-www-form-urlencoded’}, “body”: “fid=1&rid;=1&field;=1&val;=…/…/…/license.txt”})