WPFunnels WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the WPFunnels plugin for WordPress, affecting all versions through 3.6.2. This issue arises from inadequate file path validation in the 'wpfnl_delete_log' function. As a result, authenticated attackers with Administrator-level access can delete any file on the server. Exploiting this vulnerability could lead to remote code execution, especially if a critical file like 'wp-config.php' is deleted.

Impact

Successful exploitation allows authenticated users with Administrator privileges to delete arbitrary files on the server. This could result in remote code execution if a sensitive file is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to the 'wpfnl_delete_log' function. The request must include a 'logKey' payload that is not properly sanitized, allowing for path traversal. This can be done by manipulating the 'logKey' value to point to a file outside the intended directory, such as 'wp-config.php'.

Remediation

Users are advised to update the WPFunnels plugin to version 3.6.3 or later, where this vulnerability has been patched.