Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename

The lack of CSRF, Authorisation and Path Traversal checks in wp_ajax_del_dir() and wp_ajax_rename_dir() AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also possible, in order to make them perform those malicious actions.

PoC

The dir parameter can be changed, for example using ‘…/’ will delete the content of wp-content/uploads. To rename and move wp-content/uploads/articulate_uploads to wp-content/yolo: https:///wp-admin/admin-ajax.php?action=rename_dir&dir;_name=/&title;=…/…/yolo/