MaxiBlocks Builder WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability exists in the MaxiBlocks Builder plugin for WordPress, allowing authenticated users with Author-level access and above to delete arbitrary media files. This issue arises from inadequate validation of file ownership in the 'maxi_remove_custom_image_size' AJAX action, affecting all versions up to and including 2.1.8. Exploitation of this vulnerability could lead to the deletion of files in the wp-content/uploads directory, including those uploaded by other users and administrators.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of media files, which could disrupt content management and lead to loss of important files.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can send a request to the 'maxi_remove_custom_image_size' AJAX action. The request must include the 'old_media_src' parameter, which can be used to specify the source URL of the media file to be deleted. The absence of proper ownership validation allows the user to delete files that they do not own.

Remediation

Users are advised to update the MaxiBlocks Builder plugin to version 2.1.9 or a newer patched version.