Can you explain this vulnerability to me?

The Perfmatters plugin for WordPress has a vulnerability that allows arbitrary file deletion through path traversal in all versions up to and including 2.5.9.1.

This happens because the method PMCS::action_handler() processes the $_GET['delete'] parameter without sanitizing it, checking authorization, or verifying a nonce.

An attacker with Subscriber-level access or higher can exploit this by using '../' sequences in the filename to delete arbitrary files on the server, including critical files like wp-config.php.

Deleting wp-config.php would force WordPress into the installation wizard, potentially allowing full site takeover.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to severe impacts including the deletion of arbitrary files on the server by an authenticated user with low-level access.

Critical files such as wp-config.php can be deleted, which would disrupt the WordPress installation and force it into the installation wizard.

This disruption can allow an attacker to take over the entire site, leading to potential data loss, service downtime, and unauthorized control.

The CVSS score of 8.1 (High) reflects the significant integrity and availability impact of this vulnerability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

The vulnerability involves the Perfmatters WordPress plugin processing the 'delete' parameter in the URL without sanitization or authorization checks, allowing arbitrary file deletion via path traversal sequences like '../'. Detection can focus on monitoring HTTP requests to the WordPress site that include suspicious 'delete' parameters with path traversal patterns.

• Check web server access logs for requests containing 'delete=' parameters with '../' sequences.
• Use commands like grep to search logs, for example: grep -i 'delete=.*\.\./' /var/log/apache2/access.log
• Monitor for unexpected deletion of critical files such as 'wp-config.php' or other important WordPress files.
• Scan the plugin version installed; versions up to and including 2.5.9.1 are vulnerable.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include updating the Perfmatters plugin to a version later than 2.5.9.1 where this vulnerability is fixed.

Restrict or monitor authenticated user access, especially for Subscriber-level accounts, to prevent exploitation.

Implement web application firewall (WAF) rules to block requests containing suspicious 'delete' parameters with path traversal sequences.

Review and harden file permissions on the server to limit the ability of the web server process to delete critical files.

Consider temporarily disabling the Perfmatters plugin if immediate update is not possible.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in the Perfmatters plugin allows authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including critical files like wp-config.php. This can lead to a full site takeover.

Such unauthorized file deletion and potential site takeover could result in loss or alteration of sensitive data, disruption of service, and compromise of data integrity.

These impacts may affect compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, availability, and confidentiality, as well as proper access controls and incident response.

However, the provided information does not explicitly detail compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0