BuddyPress Xprofile Custom Fields Type Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the BuddyPress Xprofile Custom Fields Type plugin, specifically in version 2.6.3. This vulnerability allows authenticated users to delete arbitrary files by exploiting unescaped POST parameters. During profile editing, attackers can manipulate the 'field_hiddenfile' and 'field_deleteimg' parameters to unlink files from the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the potential to delete arbitrary files.

Reproduction

To reproduce this vulnerability, log in as a user with BuddyPress access. Navigate to the profile editing page and upload an image as part of the profile data. Once the image is uploaded, modify the 'field_deleteimg' parameter to indicate the image should be deleted, and save the profile. This action will trigger the deletion of the specified image from the server.