NinjaScanner WordPress Plugin Arbitrary File Deletion Vulnerability
Vulnerability
A vulnerability allowing authenticated users with Administrator-level access to delete arbitrary files on the server has been identified in the NinjaScanner – Virus & Malware scan plugin for WordPress. This issue arises from inadequate file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions, affecting all versions through 3.2.5. Exploitation of this vulnerability could lead to the deletion of files outside the WordPress root directory.
Impact
Successful exploitation allows for arbitrary file deletion on the server, including files outside the WordPress root directory.
Reproduction
To reproduce this vulnerability, an authenticated user with Administrator-level access can send a request to the 'nscan_ajax_quarantine' action via the WordPress AJAX API. The request must include a base64-encoded file path of the file to be deleted, along with a valid nonce for the operation. The 'nscan_quarantine_select' function can also be used to delete files that have been flagged as suspicious by the scanner.
Remediation
Users are advised to update the NinjaScanner WordPress plugin to version 3.2.6 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.