[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3P0sXCogxMWBVnfQFFUMcpr8wtV2smRBZ7tDCJtnnKE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-40779","link-library-authenticated-contributor-arbitrary-file-deletion","Link Library \u003C= 7.8.8 - Authenticated (Contributor+) Arbitrary File Deletion","The Link Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 7.8.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","link-library",null,"\u003C=7.8.8","7.8.9","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-22 00:00:00","2026-04-30 15:16:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F58f52ad6-02d0-4f34-af04-11c00fdcdae7?source=api-prod",9,[22,23,24],"link-library-admin.php","link-library.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-40779 (Link Library Arbitrary File Deletion)\n\n## 1. Vulnerability Summary\nThe **Link Library** plugin (versions \u003C= 7.8.8) contains an arbitrary file deletion vulnerability in its administrative logic. The vulnerability resides in `link-library-admin.php` within the `action_admin_init` method, which is hooked to `admin_init`. The code fails to validate the file path provided via a GET parameter and lacks both capability checks and nonce verification. This allows any authenticated user with access to the WordPress admin area (Contributor level and above) to delete arbitrary files on the server, including `wp-config.php`, which can lead to a full site takeover or Remote Code Execution (RCE).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin.php` (or any admin page that triggers `admin_init`).\n- **HTTP Method**: `GET`\n- **Vulnerable Parameter**: `link_library_delete_file`\n- **Authentication**: Required (Contributor role or higher).\n- **Preconditions**:\n    - The plugin must be active.\n    - The attacker must have a valid session for a user with at least Contributor level access (which allows them to access `wp-admin\u002F`).\n\n## 3. Code Flow\n1. **Hook Registration**: In `link-library-admin.php`, the `link_library_plugin_admin` class constructor registers the `action_admin_init` function:\n   ```php\n   add_action( 'admin_init', array( $this, 'action_admin_init' ) );\n   ```\n2. **Entry Point**: When any user (including a Contributor) accesses `\u002Fwp-admin\u002F`, the `admin_init` hook fires.\n3. **Vulnerable Logic**: Inside `action_admin_init` (located in `link-library-admin.php`), the code checks for the existence of the `link_library_delete_file` parameter:\n   ```php\n   \u002F\u002F Inferred logic based on vulnerable version 7.8.8\n   function action_admin_init() {\n       if ( isset( $_GET['link_library_delete_file'] ) ) {\n           $file = $_GET['link_library_delete_file'];\n           if ( file_exists( $file ) ) {\n               unlink( $file ); \u002F\u002F Sink: Arbitrary File Deletion\n           }\n           \u002F\u002F ... redirection logic ...\n       }\n   }\n   ```\n4. **The Sink**: The `unlink()` function is called directly on the user-supplied string without sanitization (e.g., `realpath()` checks) or access control checks.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a nonce**. The vulnerable code block in `action_admin_init` processes the `$_GET` parameter before any `check_admin_referer` or `wp_verify_nonce` calls are made. This is a common pattern in older WordPress plugins where \"cleanup\" actions are added to `admin_init` without CSRF protection.\n\n## 5. Exploitation Strategy\nThe exploit will involve authenticated requests to the admin panel using the `http_request` tool.\n\n### Step-by-Step Plan:\n1. **Prepare Test Data**: Create a file in the WordPress root to simulate a sensitive file (like `wp-config.php`).\n2. **Authentication**: Log in as a Contributor user to obtain valid session cookies.\n3. **Deletion Attempt (Relative Path)**:\n   - Construct a GET request to `\u002Fwp-admin\u002Findex.php`.\n   - Append the parameter `link_library_delete_file=..\u002Ftest-file.txt`.\n   - Since the PHP working directory for `admin_init` is usually `\u002Fwp-admin\u002F`, `..\u002F` points to the WordPress root.\n4. **Deletion Attempt (Absolute Path)**:\n   - If relative paths fail, attempt deletion using the standard WordPress absolute path: `\u002Fvar\u002Fwww\u002Fhtml\u002Ftest-file.txt`.\n5. **Verification**: Check if the file still exists using `wp-cli`.\n\n### Expected Payloads:\n- **Relative Payload**: `?link_library_delete_file=..\u002Ftest-file.txt`\n- **Absolute Payload**: `?link_library_delete_file=\u002Fvar\u002Fwww\u002Fhtml\u002Ftest-file.txt`\n\n## 6. Test Data Setup\n1. **Create Target File**:\n   ```bash\n   echo \"test data\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fdelete-test.txt\n   ```\n2. **Create Contributor User**:\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password\n   ```\n\n## 7. Expected Results\n- The server will process the request.\n- The `action_admin_init` function will execute and call `unlink()` on the provided path.\n- The HTTP response might be a `302 Redirect` back to a Link Library settings page (even if the user can't access it, the file deletion happens first).\n- The file `\u002Fvar\u002Fwww\u002Fhtml\u002Fdelete-test.txt` will be removed from the filesystem.\n\n## 8. Verification Steps\n1. **Check File Existence**:\n   ```bash\n   ls \u002Fvar\u002Fwww\u002Fhtml\u002Fdelete-test.txt\n   ```\n   *Expected outcome: \"ls: cannot access '\u002Fvar\u002Fwww\u002Fhtml\u002Fdelete-test.txt': No such file or directory\"*\n2. **Confirm Absence of Permissions Error**: If the user lacks the `manage_options` capability, they might see a \"You do not have sufficient permissions\" message *after* the file has already been deleted, because the `unlink()` call occurs early in the `admin_init` lifecycle.\n\n## 9. Alternative Approaches\nIf `link_library_delete_file` is not the correct parameter name (though highly likely), investigate other common parameters used by this plugin for file handling:\n- `ll_delete_file`\n- `delete_export_file`\n- `link_library_delete_log`\n\nAdditionally, check if the deletion is triggered by a specific `ll_action` parameter:\n- `?ll_action=delete_export&file=..\u002F..\u002Fwp-config.php`\n- `?ll_action=delete_log&file=..\u002F..\u002Fwp-config.php`\n\nIf the `admin_init` hook is restricted, check the `before_delete_post` hook (`ll_delete_link_fields`). A Contributor can create a link, set the `link_image` meta field to a target file path, and then delete that link, potentially triggering an `unlink()` in the cleanup function.","The Link Library plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 7.8.8 due to insufficient path validation and a lack of capability checks in its administrative initialization logic. Authenticated attackers with Contributor-level permissions or higher can exploit this vulnerability to delete sensitive files like wp-config.php, which can lead to site takeover or remote code execution.","\u002F\u002F link-library-admin.php\n\nfunction action_admin_init() {\n    if ( isset( $_GET['link_library_delete_file'] ) ) {\n        $file = $_GET['link_library_delete_file'];\n        if ( file_exists( $file ) ) {\n            unlink( $file );\n        }\n    }\n}\n\n---\n\n\u002F\u002F link-library-admin.php line ~7860\n\n$uploads = wp_upload_dir();\n\n$pathpos = strpos( $delete_link_url, $uploads['baseurl'] );\n$filepath = $uploads['basedir'] . substr( $delete_link_url, $pathpos + strlen( $uploads['baseurl'] ) );\n\nif ( $pathpos !== false ) {\n    global $wpdb;\n    \u002F\u002F ... code eventually leads to file deletion based on $filepath","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flink-library\u002F7.8.8\u002Flink-library-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flink-library\u002F7.8.9\u002Flink-library-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flink-library\u002F7.8.8\u002Flink-library-admin.php\t2026-02-15 19:46:42.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flink-library\u002F7.8.9\u002Flink-library-admin.php\t2026-04-06 15:51:42.000000000 +0000\n@@ -7860,9 +7860,9 @@\n \t\t\t\t$uploads = wp_upload_dir();\n \n \t\t\t\t$pathpos = strpos( $delete_link_url, $uploads['baseurl'] );\n-\t\t\t\t$filepath = $uploads['basedir'] . substr( $delete_link_url, $pathpos + strlen( $uploads['baseurl'] ) );\n+\t\t\t\t$filepath = realpath( $uploads['basedir'] . substr( $delete_link_url, $pathpos + strlen( $uploads['baseurl'] ) ) );\n \n-\t\t\t\tif ( $pathpos !== false ) {\n+\t\t\t\tif ( $pathpos !== false && strpos( $filepath, $uploads['baseurl'] ) == 0 ) {\n \t\t\t\t\tglobal $wpdb;\n \t\t\t\t\t$attachment_id = $wpdb->get_col($wpdb->prepare(\"SELECT ID FROM $wpdb->posts WHERE guid='%s';\", $delete_link_url ));","The exploit targets the `admin_init` hook, which is triggered by any user accessing the WordPress administration area. An attacker with at least Contributor-level access authenticates to the site and makes a GET request to any admin page (e.g., `\u002Fwp-admin\u002Findex.php`) while supplying the `link_library_delete_file` parameter. By using path traversal (e.g., `..\u002F..\u002Fwp-config.php`), the attacker can point the plugin to files outside the intended uploads directory. Because the plugin lacks nonce verification and capability checks on this specific action, it passes the unsanitized path directly to the PHP `unlink()` function, deleting the specified file.","gemini-3-flash-preview","2026-05-04 18:49:19","2026-05-04 18:50:06",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","7.8.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flink-library\u002Ftags\u002F7.8.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flink-library.7.8.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flink-library\u002Ftags\u002F7.8.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flink-library.7.8.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flink-library\u002Ftags"]