Description
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server
Problem types
CWE-73 External Control of File Name or Path
Product status
Any version before 23.5
Credits
Gregory Allegoet & Bakir Tučić
WPScan
References
wpscan.com/...rability/c572c0ad-1b36-49ce-b254-2181e53abb46/
wpscan.com/...rability/c572c0ad-1b36-49ce-b254-2181e53abb46/