Executive Summary

The FormGent WordPress plugin versions before 1.0.4 have a vulnerability that allows unauthenticated attackers to delete arbitrary files on the server. This happens because the plugin does not properly validate file paths when handling file deletion requests. Attackers can exploit this by sending a specially crafted DELETE HTTP request with a base64-encoded file token that points to sensitive files, such as the WordPress configuration file, causing them to be deleted. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact by allowing attackers to delete critical files on your server without authentication. For example, deleting the WordPress configuration file can disrupt your website's functionality, cause data loss, and potentially lead to a complete site outage. This can result in downtime, loss of user trust, and additional recovery costs. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending a DELETE HTTP request to the endpoint `/wp-json/formgent/responses/attachments` with a JSON payload containing a base64-encoded file token representing a sensitive file path. For example, using curl: `curl -X DELETE -H "Content-Type: application/json" -d '{"file_token":"Li4vLi4vLi4vd3AtY29uZmlnLnBocA=="}' http://example.com/wp-json/formgent/responses/attachments -v`. A successful detection attempt returns an HTTP 204 No Content response, indicating the file deletion endpoint is vulnerable. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the FormGent WordPress plugin to version 1.0.4 or later, where the vulnerability has been fixed. Additionally, restricting access to the vulnerable endpoint and monitoring for suspicious DELETE requests can help reduce risk until the update is applied. [1]

Useful 0 Not Useful 0