Unauthenticated File Deletion Vulnerability in WP Hide & Security Enhancer plugin
CVE-2024-11585

7.5HIGH

Key Information:

Vendor: Wordpress
Status: WP Hide & Security Enhancer
Vendor: CVE Published:; 6 December 2024

Summary

The WP Hide & Security Enhancer plugin for WordPress is exposed to a serious vulnerability where unauthenticated attackers can exploit flaws in the file-process.php. This occurs due to inadequate authorization checks and insufficient validation of file paths, allowing unauthorized deletion of file contents on the server. This vulnerability affects all versions up to and including 2.5.1, potentially leading to significant data loss or even site breakdown if exploited.

Affected Version(s)

WP Hide & Security Enhancer * <= 2.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-hide-securi...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Nov 20, 2024

Credit

Michael Mazzolini