The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
Unauthenticated attackers can exploit a critical vulnerability in the WP User Frontend WordPress plugin to delete attachments, leading to data loss and potential website disruption. This flaw stems from a missing capability check within the plugin's attachment handling functionality, allowing unauthorized users to execute privileged actions.
Step 1: Reconnaissance: The attacker identifies a WordPress website using the vulnerable WP User Frontend plugin (versions up to and including 4.2.4).
Step 2: Payload Creation: The attacker crafts a malicious HTTP POST request to the admin-ajax.php endpoint, which is a standard WordPress AJAX handler. This request targets the Frontend_Form_Ajax::submit_post function.
Step 3: Attachment ID Targeting: The attacker includes the ID of a specific attachment they wish to delete within the POST request parameters. This ID is used by the plugin to identify the file to be removed.
Step 4: Request Submission: The attacker sends the crafted POST request to the vulnerable website. The request does not require authentication.
Step 5: Exploitation: The submit_post function, lacking proper authorization, processes the request and deletes the specified attachment from the server. This results in data loss.
Step 6: Post-Exploitation (Optional): The attacker may attempt to delete multiple attachments, causing further data loss and potentially disrupting the website's functionality.
The vulnerability lies within the Frontend_Form_Ajax::submit_post function of the WP User Frontend plugin. Specifically, the function lacks proper authorization checks before allowing the deletion of attachments. This means that any unauthenticated user can craft a malicious request to the plugin, specifying an attachment ID to be deleted. The function then proceeds to delete the specified attachment without verifying the user's permissions. The root cause is a missing current_user_can() check or similar authorization mechanism before the attachment deletion operation. This allows for unauthorized access and manipulation of the website's data.