CVE-2026-32567

YML for Yandex Market < 5.3.0 - Authenticated (Shop Manager+) Arbitrary File Deletion

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
5.3.0
Patched in
44d
Time to patch

Description

The YML for Yandex Market plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the [function-name] function in all versions up to 5.3.0 (exclusive). This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<5.3.0
PublishedMarch 23, 2026
Last updatedMay 5, 2026
Affected pluginyml-for-yandex-market

What Changed in the Fix

Changes introduced in v5.3.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32567 ## 1. Vulnerability Summary The **YML for Yandex Market** plugin for WordPress is vulnerable to **Authenticated Arbitrary File Deletion** via Path Traversal in versions prior to 5.3.0. The vulnerability exists because the plugin provides a mechanism to …

Show full research plan

Exploitation Research Plan - CVE-2026-32567

1. Vulnerability Summary

The YML for Yandex Market plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion via Path Traversal in versions prior to 5.3.0. The vulnerability exists because the plugin provides a mechanism to delete log files but fails to properly sanitize the file path provided by the user. An attacker with Shop Manager level access (or any role possessing the manage_woocommerce capability) can supply a path containing traversal sequences (e.g., ../../) to delete sensitive files on the server, such as wp-config.php.

2. Attack Vector Analysis

  • Entry Point: A request to the WordPress admin area, likely handled during admin_init or via a specific admin page action.
  • Vulnerable Function: delete_log (inferred) located within the Y4YM_Admin class or a related handler.
  • HTTP Parameter: log (inferred) or y4ym_log_file.
  • Trigger Parameter: y4ym_action=delete_log (inferred).
  • Authentication: Authenticated, Shop Manager role or higher (requires manage_woocommerce capability).
  • Preconditions: The plugin must be active. The attacker must obtain a valid nonce if the function implements check_admin_referer.

3. Code Flow

  1. **Hook Registration
Research Findings
Static analysis — not yet PoC-verified

Summary

The YML for Yandex Market plugin for WordPress is vulnerable to authenticated arbitrary file deletion due to insufficient input validation and path traversal in the feed removal functionality. Users with Shop Manager-level access can manipulate the 'checkbox_xml_file' parameter to delete sensitive files and directories, such as 'wp-config.php', which can lead to site takeover.

Vulnerable Code

// admin/class-y4ym-admin.php line 651

		$checkbox_xml_file_arr = $_GET['checkbox_xml_file'];
		for ( $i = 0; $i < count( $checkbox_xml_file_arr ); $i++ ) {
			$feed_id_str = (string) $checkbox_xml_file_arr[ $i ];

			y4ym_remove_directory( Y4YM_PLUGIN_UPLOADS_DIR_PATH . '/feed' . $feed_id_str );

		}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/yml-for-yandex-market/5.2.0/admin/class-y4ym-admin.php	2026-02-04 11:07:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yml-for-yandex-market/5.3.0/admin/class-y4ym-admin.php	2026-03-22 20:08:56.000000000 +0000
@@ -650,7 +650,16 @@
 
 		$checkbox_xml_file_arr = $_GET['checkbox_xml_file'];
 		for ( $i = 0; $i < count( $checkbox_xml_file_arr ); $i++ ) {
-			$feed_id_str = (string) $checkbox_xml_file_arr[ $i ];
+
+			// защита от CVSS 6.8 уязвимостей
+			$raw_feed_id = $checkbox_xml_file_arr[ $i ] ?? '';
+			// Проверяем: только цифры
+			if ( ! ctype_digit( (string) $raw_feed_id ) ) {
+				// Логируем подозрительную попытку
+				Y4YM_Error_Log::record( 'SECURITY: Invalid feed_id detected: ' . $raw_feed_id );
+				continue; // ? возможно стоит делать return, а не шерстить цикл дальше
+			}
+			$feed_id_str = (string) $raw_feed_id;
 
 			y4ym_remove_directory( Y4YM_PLUGIN_UPLOADS_DIR_PATH . '/feed' . $feed_id_str );

Exploit Outline

The exploit targets the feed deletion routine in the plugin's admin area. An attacker must have Shop Manager permissions (or the 'manage_woocommerce' capability). By sending a request (likely a GET or POST depending on how the action is registered) that includes the 'checkbox_xml_file[]' parameter, the attacker can supply traversal sequences like '../../../../wp-config.php'. The plugin then passes this unsanitized input to 'y4ym_remove_directory', which recursively deletes files at the resolved path, allowing for the destruction of critical WordPress configuration or system files.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.