WP Audio Gallery WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the WP Audio Gallery plugin for WordPress, affecting all versions through 2.0. The issue arises from the 'wpag_uploadaudio_callback()' AJAX handler, which fails to properly validate user-supplied file paths in the 'audio_upload' parameter before passing them to the 'unlink()' function. This flaw enables authenticated attackers with subscriber-level access and above to delete arbitrary files on the server. Deleting critical files, such as 'wp-config.php', could lead to remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files on the server, potentially leading to remote code execution if critical files are removed.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can upload audio files through the WP Audio Gallery plugin. During the upload process, the 'audio_upload' parameter can be manipulated to include paths to sensitive files on the server. The 'wpag_uploadaudio_callback()' function will then delete these files without proper validation.