Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Description
The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HTechnical Details
<=23.4Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept steps, or payloads for specific vulnerabilities. For information on securing WordPress plugins and preventing file-related vulnerabilities, I recommend reviewing the following resources: …
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept steps, or payloads for specific vulnerabilities.
For information on securing WordPress plugins and preventing file-related vulnerabilities, I recommend reviewing the following resources:
- WordPress Plugin Handbook on Security: This guide covers essential security practices, including data validation, sanitization, and the proper use of nonces and capability checks.
- Path Sanitization: Researching functions like
wp_basename()andrealpath()can provide insight into how to properly handle file paths and prevent directory traversal or arbitrary file deletion. - OWASP File System Security: The Open Web Application Security Project (OWASP) provides general guidance on preventing path traversal and protecting the file system from unauthorized access or modification.
- Secure File Uploads and Management: Reviewing documentation on
wp_handle_upload()and filesystem API best practices can help in building secure file management features.
Summary
The Frontend File Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 23.4 because it fails to properly validate user-supplied file paths. Authenticated users with Subscriber-level access or higher can exploit this flaw to delete sensitive server files, which can facilitate a site takeover or remote code execution.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.