Simple WP Events WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Simple WP Events plugin for WordPress, affecting all versions through 1.8.17. The issue arises from inadequate file path validation in the 'wpe_delete_file' AJAX action, enabling unauthenticated attackers to delete arbitrary files on the server. This vulnerability could easily lead to remote code execution if a critical file, such as 'wp-config.php', is deleted.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files on the server, potentially leading to remote code execution if a sensitive file is removed.

Reproduction

To reproduce this vulnerability, send a POST request to the 'wp_ajax_wpe_delete_file' action without the required permissions. The request must include a 'security' nonce and a 'url' parameter specifying the path of the file to be deleted. The absence of proper validation allows for the deletion of arbitrary files.

Remediation

Users are advised to update the Simple WP Events plugin to version 1.9.0 or later.