Recently we found that the plugin Social Media and Share Icons (Ultimate Social Media) contained an authenticated option deletion vulnerability. The Social Media plugin is based on the code base of that plugin and contained the same vulnerable code. The only difference being that function is named sfsi_plus_DeleteSkin() in this plugin, that is located in the file /libs/controllers/sfsi_iconsUpload_contoller.php.

Proof of Concept

The following proof of concept will delete the siteurl option wp_options table, when logged in to WordPress. [Read more]