A high-severity vulnerability has been identified in "The Hack Repair Guy's Plugin Archiver" plugin for WordPress, affecting all versions up to and including 2. This flaw allows an attacker to delete arbitrary files on the server, which could lead to website defacement, denial of service by removing critical configuration files, or complete site compromise. Immediate action is required to update or remove the vulnerable plugin to mitigate the risk of exploitation.

The vulnerability exists within the prepare_items function of the plugin, which fails to properly sanitize user-supplied input for file paths. An authenticated attacker with sufficient privileges to access the plugin's functionality can craft a malicious request containing directory traversal sequences (e.g., ../). This allows the attacker to bypass security checks and specify a path to any file on the server that the web server process has write permissions for, causing the application to delete it.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a severe impact on business operations. An attacker could delete critical files such as wp-config.php, which would render the entire website inaccessible, causing a denial of service. The deletion of other theme, plugin, or core WordPress files could break site functionality, corrupt data, or create an opening for further attacks. This poses a significant risk to website availability and integrity, potentially leading to reputational damage, customer distrust, and costly recovery efforts.

Immediate Action:

• Immediately update "The Hack Repair Guy's Plugin Archiver" to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.
• Verify that backups of the website and server configurations are current and can be restored if needed.

Proactive Monitoring:

• Implement File Integrity Monitoring (FIM) on the web server to generate alerts for any unauthorized or unexpected file deletions, particularly for critical files like wp-config.php, .htaccess, and core application directories.
• Review web server access logs for suspicious requests targeting the plugin's administrative functions, looking for patterns indicative of directory traversal attacks (e.g., ../, ..%2f).

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block directory traversal payloads in requests to the vulnerable plugin endpoint.
• Enforce the principle of least privilege by ensuring the web server user account has the most restrictive file permissions possible. This can limit the impact of the vulnerability by preventing the deletion of critical system files outside of the web root directory.

Public Exploit Available: False

Given the High severity rating (CVSS 7.2) and the potential for complete service disruption, it is strongly recommended that organizations take immediate action. The primary remediation is to update the affected plugin to a patched version without delay. If the plugin is non-essential, it should be removed entirely. Although this vulnerability is not yet on the CISA KEV list, its simplicity and high impact make it an attractive target for attackers, and organizations should prioritize mitigation to prevent potential exploitation.