YML for Yandex Market < 5.3.0 - Authenticated (Shop Manager+) Arbitrary File Deletion
Description
The YML for Yandex Market plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the [function-name] function in all versions up to 5.3.0 (exclusive). This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:HTechnical Details
<5.3.0What Changed in the Fix
Changes introduced in v5.3.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-32567 ## 1. Vulnerability Summary The **YML for Yandex Market** plugin for WordPress is vulnerable to **Authenticated Arbitrary File Deletion** via Path Traversal in versions prior to 5.3.0. The vulnerability exists because the plugin provides a mechanism to …
Show full research plan
Exploitation Research Plan - CVE-2026-32567
1. Vulnerability Summary
The YML for Yandex Market plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion via Path Traversal in versions prior to 5.3.0. The vulnerability exists because the plugin provides a mechanism to delete log files but fails to properly sanitize the file path provided by the user. An attacker with Shop Manager level access (or any role possessing the manage_woocommerce capability) can supply a path containing traversal sequences (e.g., ../../) to delete sensitive files on the server, such as wp-config.php.
2. Attack Vector Analysis
- Entry Point: A request to the WordPress admin area, likely handled during
admin_initor via a specific admin page action. - Vulnerable Function:
delete_log(inferred) located within theY4YM_Adminclass or a related handler. - HTTP Parameter:
log(inferred) ory4ym_log_file. - Trigger Parameter:
y4ym_action=delete_log(inferred). - Authentication: Authenticated, Shop Manager role or higher (requires
manage_woocommercecapability). - Preconditions: The plugin must be active. The attacker must obtain a valid nonce if the function implements
check_admin_referer.
3. Code Flow
- **Hook Registration
Summary
The YML for Yandex Market plugin for WordPress is vulnerable to authenticated arbitrary file deletion due to insufficient input validation and path traversal in the feed removal functionality. Users with Shop Manager-level access can manipulate the 'checkbox_xml_file' parameter to delete sensitive files and directories, such as 'wp-config.php', which can lead to site takeover.
Vulnerable Code
// admin/class-y4ym-admin.php line 651 $checkbox_xml_file_arr = $_GET['checkbox_xml_file']; for ( $i = 0; $i < count( $checkbox_xml_file_arr ); $i++ ) { $feed_id_str = (string) $checkbox_xml_file_arr[ $i ]; y4ym_remove_directory( Y4YM_PLUGIN_UPLOADS_DIR_PATH . '/feed' . $feed_id_str ); }
Security Fix
@@ -650,7 +650,16 @@ $checkbox_xml_file_arr = $_GET['checkbox_xml_file']; for ( $i = 0; $i < count( $checkbox_xml_file_arr ); $i++ ) { - $feed_id_str = (string) $checkbox_xml_file_arr[ $i ]; + + // защита от CVSS 6.8 уязвимостей + $raw_feed_id = $checkbox_xml_file_arr[ $i ] ?? ''; + // Проверяем: только цифры + if ( ! ctype_digit( (string) $raw_feed_id ) ) { + // Логируем подозрительную попытку + Y4YM_Error_Log::record( 'SECURITY: Invalid feed_id detected: ' . $raw_feed_id ); + continue; // ? возможно стоит делать return, а не шерстить цикл дальше + } + $feed_id_str = (string) $raw_feed_id; y4ym_remove_directory( Y4YM_PLUGIN_UPLOADS_DIR_PATH . '/feed' . $feed_id_str );
Exploit Outline
The exploit targets the feed deletion routine in the plugin's admin area. An attacker must have Shop Manager permissions (or the 'manage_woocommerce' capability). By sending a request (likely a GET or POST depending on how the action is registered) that includes the 'checkbox_xml_file[]' parameter, the attacker can supply traversal sequences like '../../../../wp-config.php'. The plugin then passes this unsanitized input to 'y4ym_remove_directory', which recursively deletes files at the resolved path, allowing for the destruction of critical WordPress configuration or system files.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.