Advanced Members for ACF WordPress Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Advanced Members for ACF WordPress plugin, affecting all versions through 1.2.5. This vulnerability arises from inadequate file path validation in the 'create_crop' function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. Such actions could lead to remote code execution if critical files, like 'wp-config.php', are targeted.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files on the server, with potential for remote code execution if a sensitive file is removed.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload an image through the WordPress REST API. The 'wp_ajax_amem_avatar_crop' action can be used to crop the uploaded image, which triggers the 'create_crop' function. Due to the lack of proper path validation, this process can be manipulated to delete arbitrary files on the server.

Remediation

Users are advised to update the Advanced Members for ACF WordPress plugin to version 1.2.6 or later.