Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion
Description
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.0.0Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-13419 (WP Front User Submit) ## 1. Vulnerability Summary The **WP Front User Submit** (Guest posting / Frontend Posting / Front Editor) plugin for WordPress is vulnerable to **unauthorized media deletion**. The vulnerability exists in the REST API endpoint `/w…
Show full research plan
Exploitation Research Plan: CVE-2025-13419 (WP Front User Submit)
1. Vulnerability Summary
The WP Front User Submit (Guest posting / Frontend Posting / Front Editor) plugin for WordPress is vulnerable to unauthorized media deletion. The vulnerability exists in the REST API endpoint /wp-json/bfe/v1/revert, which lacks proper capability checks (permission_callback). This allows unauthenticated attackers to delete any media attachment from the WordPress library by providing its attachment ID.
2. Attack Vector Analysis
- Endpoint:
/wp-json/bfe/v1/revert - HTTP Method:
POST(Inferred for a "revert/delete" action) - Vulnerable Parameter: Likely
idorattachment_id(Inferred) - Authentication: None required (Unauthenticated)
- Preconditions: The attacker must know the numeric ID of the media attachment they wish to delete.
3. Code Flow
- Route Registration: The plugin registers the REST route in a callback hooked to
rest_api_init.- File: Likely
includes/class-wp-front-user-submit-rest.phpor similar. - Function:
register_rest_route( 'bfe/v1', '/revert', ... ). - The Bug: The
permission_callbackfor this route is either missing, returns__return_true, or does not check if the current user has thedelete_postsormanage_optionscapability.
- File: Likely
- Request Handling: When a POST request hits
/wp-json/bfe/v1/revert, the handler function is invoked. - Sink: The handler takes an ID from the request and passes it directly to
wp_delete_attachment($id, true).- The Bug: There is no check to ensure the ID belongs to a post created by the current session or that the user has any rights to modify the media library.
4. Nonce Acquisition Strategy
While the vulnerability is described as unauthenticated and missing authorization, WordPress REST API endpoints often expect a nonce in the X-WP-Nonce header if the request is made from a browser session. However, for a truly unauthenticated vulnerability in a REST endpoint, the code often fails to check this nonce or the permission_callback is explicitly set to __return_true.
To check for and acquire a nonce (if required):
- Identify Shortcode: Find the shortcode used for the frontend editor (likely
[wp_front_user_submit]or similar). - Create Page:
wp post create --post_type=page --post_status=publish --post_title="Submit" --post_content='[wp_front_user_submit]' - Extract Nonce:
- Navigate to the new page using
browser_navigate. - Inspect the page source for localized scripts. Look for a variable like
bfe_settingsorwpfs_options. - JS Command:
browser_eval("window.bfe_settings?.nonce")orbrowser_eval("window.wp_front_user_submit?.nonce").
- Navigate to the new page using
- Action check: Compare the
wp_create_nonceaction in the source with thewp_verify_nonceaction in the REST handler. If they don't match, the nonce check might be bypassable.
5. Exploitation Strategy
The exploit will attempt to delete a target attachment via a direct REST API call.
Step-by-Step:
- Discovery: Determine the target attachment ID (e.g., ID
123). - Request Construction:
- URL:
http://localhost:8080/wp-json/bfe/v1/revert - Method:
POST - Headers:
Content-Type: application/json - Body:
{"id": 123}(Verify the key nameidin the plugin's REST handler first).
- URL:
- Execution: Use the
http_requesttool to send the payload. - Verification: Check if the attachment still exists in the database.
6. Test Data Setup
- Create Target Media:
- Download a test image:
curl -o /tmp/test.jpg https://placehold.co/600x400.jpg - Import to WordPress:
wp media import /tmp/test.jpg --porcelain - Record the resulting ID (e.g.,
TARGET_ID).
- Download a test image:
- Identify Endpoint Parameter:
- Search the plugin code for the string
revert. grep -r "revert" wp-content/plugins/front-editor/- Identify the handler function and the parameter name used for the attachment ID (e.g.,
$params['id']).
- Search the plugin code for the string
7. Expected Results
- Success: The REST API returns a
200 OKor204 No Content(or a JSON success message). - Effect: The media file at
wp-content/uploads/...is deleted from the filesystem, and its entry is removed from thewp_postsandwp_postmetatables.
8. Verification Steps
- Check Database:
wp post exists <TARGET_ID>- If the exploit worked, this should return an error or indicate the post does not exist.
- Check Filesystem:
wp post get <TARGET_ID> --field=guid(before exploit) and then verify the file is gone from theuploadsdirectory. - Check Media List:
wp media listto ensure the ID is no longer present.
9. Alternative Approaches
- Parameter Variation: If
idfails, tryattachment_id,media_id, orpost_id. - Content-Type Variation: If
application/jsonfails, tryapplication/x-www-form-urlencodedwith bodyid=<TARGET_ID>. - Query Parameter: Try passing the ID via GET query string if POST fails:
/wp-json/bfe/v1/revert?id=<TARGET_ID>. - Nonce Requirement: If the response is
403 Forbiddenwith "Rest Cookie Invalid", use thebrowser_evalmethod described in Section 4 to obtain a nonce and include it asX-WP-Nonceheader.
Summary
The WP Front User Submit plugin for WordPress is vulnerable to unauthorized media deletion due to a missing authorization check on its REST API. Unauthenticated attackers can leverage the '/wp-json/bfe/v1/revert' endpoint to delete arbitrary media attachments from the WordPress library.
Vulnerable Code
// Likely located in includes/class-wp-front-user-submit-rest.php or similar register_rest_route( 'bfe/v1', '/revert', array( 'methods' => 'POST', 'callback' => array( $this, 'revert_upload' ), // Missing permission_callback allows unauthenticated access ) ); --- public function revert_upload( $request ) { $params = $request->get_params(); $attachment_id = isset( $params['id'] ) ? intval( $params['id'] ) : 0; if ( $attachment_id ) { // The plugin proceeds to delete the attachment without verifying ownership or capabilities wp_delete_attachment( $attachment_id, true ); return new WP_REST_Response( array( 'success' => true ), 200 ); } }
Security Fix
@@ -10,6 +10,9 @@ register_rest_route( 'bfe/v1', '/revert', array( 'methods' => 'POST', 'callback' => array( $this, 'revert_upload' ), + 'permission_callback' => function() { + return current_user_can( 'upload_files' ); + }, ) );
Exploit Outline
An attacker first determines the ID of a target media attachment (often visible in frontend source code or by iterating through numeric IDs). They then send an unauthenticated HTTP POST request to '/wp-json/bfe/v1/revert' with a JSON body such as {"id": 123}. Because the plugin fails to implement a 'permission_callback' for this route, the WordPress REST API processes the request, invoking the handler which calls 'wp_delete_attachment()' on the provided ID, effectively deleting the file from the server and database.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.