Main Vulnerability Database SB2019031001

SB2019031001 - Arbitrary file deletion in WP Fastest Cache plugin for WordPress

Published: March 10, 2019 Updated: March 25, 2019

Security Bulletin ID SB2019031001

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2019-6726)

The vulnerability allows a remote attacker to delete arbitrary files on the target system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via Referer HTTP header within the wp_postratings_clear_cache() function. A remote attacker can send a specially crafted HTTP request and delete arbitrary .php files on the server, causing denial of service attack.

Remediation

Install update from vendor's website.

References

https://0day.work/cve-2019-6726-arbitrary-file-deletion-in-wp-fastest-cache-0-8-8-1/
https://wpvulndb.com/vulnerabilities/9226/