Description The plugin does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server.
1. Visit Tickets > Settings > File Upload 2. Ensure “Enable File Upload”, “Enable drag-n-drop uploader for ticket form”, and “Check this to allow users to delete attachments” are checked, and save the settings. 3. As a ticket submitter, open the form to submit a ticket. Upload an attachment. 4. Remove the attachment, and intercept the request. Replace the file name with ../../../../wp-config.php
. 5. Reload the page to see that the wp-config.php
file has been deleted.