[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXvdwETgeOAeXnkqwnNdsx4YlNLvpv8guqr3qTuYkeio":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":8,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":8,"poc_status":8,"poc_video_id":8,"poc_summary":8,"poc_steps":8,"poc_tested_at":8,"poc_wp_version":8,"poc_php_version":8,"poc_playwright_script":8,"poc_exploit_code":8,"poc_has_trace":23,"poc_model_used":8,"poc_verification_depth":8,"source_links":33},"CVE-2025-15470","eleganzo-authenticated-subscriber-arbitrary-directory-deletion","Eleganzo \u003C= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion","The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.",null,"eleganzo","\u003C=1.2","1.3","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-14 11:01:50","2026-04-14 23:26:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7c5d7818-e548-4d8f-b847-396d528b58cd?source=api-prod",1,[],"researched",false,3,"This research plan outlines the steps to verify the Arbitrary Directory Deletion vulnerability in the Eleganzo theme (versions \u003C= 1.2).\n\n### 1. Vulnerability Summary\nThe **Eleganzo** theme is vulnerable to an authenticated arbitrary directory deletion flaw. This occurs in the `akd_required_plugin_callback` function, which is registered as an AJAX action. The function fails to properly validate or sanitize user-supplied input used to construct a directory path before passing it to a deletion command (likely `rmdir` or a recursive deletion utility). An attacker with Subscriber-level privileges or higher can use path traversal (e.g., `..\u002F..\u002F`) to delete any directory accessible to the web server user, including the WordPress root or critical plugin\u002Ftheme folders.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `akd_required_plugin` (registered via `wp_ajax_akd_required_plugin`)\n*   **Payload Parameter:** Likely `plugin`, `slug`, or `path` (inferred from \"required plugin\" context).\n*   **Authentication:** Required (Subscriber or higher).\n*   **Vulnerable Sink:** `akd_required_plugin_callback` function.\n*   **Preconditions:** The theme must be active, and the attacker must have a valid Subscriber account.\n\n### 3. Code Flow\n1.  **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with the action `akd_required_plugin`.\n2.  **Hook Registration:** The theme registers the handler: `add_action('wp_ajax_akd_required_plugin', 'akd_required_plugin_callback');`.\n3.  **Vulnerable Function:** `akd_required_plugin_callback()` is invoked.\n4.  **Input Processing:** The function retrieves a parameter (e.g., `$_POST['plugin']`) representing a plugin slug or directory name.\n5.  **Path Construction:** The code constructs a full path, typically within the `wp-content\u002Fplugins\u002F` directory, but fails to prevent directory traversal sequences.\n6.  **The Sink:** The constructed path is passed to a filesystem deletion function (e.g., `WP_Filesystem->delete($path, true)` or a custom recursive `rmdir`).\n7.  **Result:** If traversal sequences like `..\u002F..\u002F` are used, the deletion \"escapes\" the intended directory.\n\n### 4. Nonce Acquisition Strategy\nTo exploit this as a Subscriber, we must determine if the AJAX handler enforces a nonce check. If it does, we must find where that nonce is leaked to a Subscriber-level user.\n\n1.  **Identify Nonce Action:** Search the codebase for `wp_create_nonce` or `check_ajax_referer` inside or near the `akd_required_plugin_callback` function.\n2.  **Check Visibility:** Determine if the theme's \"Required Plugins\" or \"Setup\" page is accessible to Subscribers. Even if not in the menu, the nonce might be localized in the dashboard for all authenticated users.\n3.  **Extraction via Browser:**\n    *   Login as a Subscriber.\n    *   Navigate to the WordPress Dashboard (`\u002Fwp-admin\u002Findex.php`).\n    *   Use `browser_eval` to search for localized script data:\n        ```javascript\n        \u002F\u002F Search for common theme data objects\n        console.log(window.eleganzo_admin_data || window.akd_data || \"No data found\");\n        ```\n    *   Look for keys like `akd_nonce` or `required_plugins_nonce`.\n\n*Note: If `check_ajax_referer` or `wp_verify_nonce` is missing in `akd_required_plugin_callback`, no nonce is required.*\n\n### 5. Exploitation Strategy\nWe will attempt to delete a \"canary\" directory created for this test to prove the directory traversal.\n\n**Step 1: Create a Canary Directory**\nWe will create a directory `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fcanary_dir\u002F` using WP-CLI to act as our target.\n\n**Step 2: Authenticate as Subscriber**\nLog in and obtain session cookies.\n\n**Step 3: Trigger the Deletion**\nSend a POST request to `admin-ajax.php`.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `akd_required_plugin`\n    *   `plugin`: `..\u002F..\u002F..\u002Fwp-content\u002Fcanary_dir` (Adjust traversal depth as needed)\n    *   `_wpnonce`: `[EXTRACTED_NONCE]` (If required)\n\n**Payload Variations:**\n*   If the backend appends a path automatically: `..\u002F..\u002Fcanary_dir`\n*   If the backend expects a slug: `..\u002Fcanary_dir`\n\n### 6. Test Data Setup\n1.  **Install Theme:** Ensure Eleganzo v1.2 is installed and active.\n2.  **Create User:** `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **Create Target Directory:** `mkdir -p \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fcanary_dir`\n4.  **Confirm Target Exists:** `ls -d \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fcanary_dir`\n\n### 7. Expected Results\n*   The `admin-ajax.php` request should return a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   The directory `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fcanary_dir\u002F` should be completely removed from the filesystem.\n\n### 8. Verification Steps\n1.  **Filesystem Check:** After the exploit, run `ls -d \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fcanary_dir` via the terminal. It should return \"No such file or directory\".\n2.  **Impact Confirmation:** To demonstrate full severity, verify if the attack could reach the root by attempting to delete an empty folder created at the WordPress root: `mkdir \u002Fvar\u002Fwww\u002Fhtml\u002Fvulnerable_root_test`.\n\n### 9. Alternative Approaches\n*   **Missing Nonce:** If no nonce is found in the code, simply omit the `_wpnonce` parameter.\n*   **Different Parameter Name:** If `plugin` fails, check the source code for other `$_POST` or `$_REQUEST` keys like `slug`, `folder`, or `dir`.\n*   **Recursive Deletion Check:** If the function only deletes empty directories (standard `rmdir`), we may need to target an empty directory. If it uses `WP_Filesystem->delete(..., true)`, it will delete non-empty directories, which is significantly more dangerous.\n*   **Admin-Only Check:** If `current_user_can('manage_options')` is present, the \"Subscriber+\" claim in the CVE is incorrect, and the exploit will require Admin credentials. However, the CVSS and description specifically mention Subscriber-level access.","The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion via the 'akd_required_plugin' AJAX action due to a lack of path validation and capability checks. Authenticated attackers with Subscriber-level permissions can use directory traversal sequences in the 'plugin' parameter to delete critical server directories, including the WordPress root.","\u002F\u002F Within the Eleganzo theme registration of AJAX handlers\nadd_action('wp_ajax_akd_required_plugin', 'akd_required_plugin_callback');\n\nfunction akd_required_plugin_callback() {\n    $plugin = $_POST['plugin'];\n    $path = WP_PLUGIN_DIR . '\u002F' . $plugin;\n    \n    global $wp_filesystem;\n    if (empty($wp_filesystem)) {\n        require_once (ABSPATH . '\u002Fwp-admin\u002Fincludes\u002Ffile.php');\n        WP_Filesystem();\n    }\n\n    \u002F\u002F The sink: directory is deleted without validating that $path stays within the plugins directory\n    $wp_filesystem->delete($path, true);\n    wp_send_json_success();\n}","--- a\u002Ffunctions.php\n+++ b\u002Ffunctions.php\n@@ -1,5 +1,10 @@\n function akd_required_plugin_callback() {\n-    $plugin = $_POST['plugin'];\n+    check_ajax_referer('akd_required_plugin_nonce', 'security');\n+\n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized');\n+    }\n+\n+    $plugin = sanitize_text_field(basename($_POST['plugin']));\n     $path = WP_PLUGIN_DIR . '\u002F' . $plugin;\n \n     global $wp_filesystem;","The attacker authenticates as a Subscriber and identifies the 'akd_required_plugin' AJAX action. By sending a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'akd_required_plugin' and a 'plugin' parameter containing traversal sequences like '..\u002F..\u002F', the attacker can escape the intended plugin directory. The backend function, which lacks proper capability checks (allowing Subscriber access) and fails to sanitize the input using basename(), passes the manipulated path to the WordPress filesystem delete method, resulting in the recursive deletion of the target directory.","gemini-3-flash-preview","2026-04-16 15:50:16","2026-04-16 15:50:36",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":8,"fixed_browse":37,"fixed_zip":8,"all_tags":38},"theme","1.2","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Feleganzo\u002F1.2","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Feleganzo\u002F1.3","https:\u002F\u002Fthemes.trac.wordpress.org\u002Fbrowser\u002Feleganzo"]