28 Jan

Arbitrary File Deletion Vulnerability in Ad Manager by WD

When it comes to collecting data on WordPress plugin vulnerabilities one of the things that sets us apart is that we check over reports before adding them to our data set, doing that is valuable enough that the company behind the Wordfence Security plugin lies and claims the data they use has been “confirmed/validated” when it hasn’t (that is far from the only thing they lie about). Doing that often leads to us finding that reports of claimed vulnerabilities are false or that vulnerabilities that are claimed to have been fixed, haven’t been (incorrectly telling people that vulnerabilities have been fixed severely limits the usefulness of other data sources). Today it lead to us finding a vulnerability in the plugin Ad Manager by WD.

Someone going by the handle 41!kh4224rDz disclosed that the current version of the plugin has an arbitrary file viewing vulnerability. When we tested that out we found that after trying the proof of concept, which allowed viewing the contents of the WordPress configuration file, wp-config.php, that the set up screen for WordPress would show when trying to access any page of the website. That would indicate that the WordPress configuration file wasn’t there anymore. That turns out to because right after the last line of code that causes the arbitrary file viewing vulnerability, the same file being viewed is passed to the unlink() function, which deletes it:

109
unlink($path);

We couldn’t find a way to privately contact the developer of the plugin about the already disclosed issue, so we did that publicly through Twitter and also mentioned this issue.

Proof of Concept

The following proof of concept will delete a file named “test.txt” in the root directory of the website.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../test.txt

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.

Leave a Reply

Your email address will not be published. Required fields are marked *