wpForo Forum Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the wpForo Forum plugin for WordPress, affecting versions through 3.0.2. The issue arises from a logic flaw in the topic_add() and topic_edit() action handlers, which accept user-supplied data arrays from $_REQUEST and store them as postmeta without proper validation. Since the 'body' field is included in the allowed list, an attacker can inject a file path through the data[body][fileurl] parameter. This malicious file URL is then saved in the plugin's postmeta database table. When the wpftcf_delete[]=body parameter is sent in a topic_edit request, the add_file() method retrieves the poisoned file URL, bypasses validation, and deletes the file at the specified path. This vulnerability allows authenticated attackers with subscriber-level access and above to remove any files writable by the PHP process on the server, including sensitive files like wp-config.php.

Impact

Exploitation of this vulnerability allows for authenticated attackers to delete arbitrary files on the server, potentially including critical WordPress files such as wp-config.php.

Remediation

No known patch available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.