A high-severity arbitrary file deletion vulnerability in the JKDEVKIT plugin for WordPress allows an authenticated attacker to delete critical system files, potentially leading to a complete denial of service.

An authenticated attacker can exploit insufficient file path validation within the 'font_upload_handler' function. By supplying a specially crafted file path, an attacker can trick the application into deleting arbitrary files on the underlying server filesystem.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could lead to a complete denial of service by deleting critical configuration files (e.g., wp-config.php) or core application components. This may result in significant operational downtime, loss of data integrity, and could potentially be used to disable security controls to facilitate further attacks.

Immediate Action: Administrators should immediately update the JKDEVKIT plugin to the latest patched version. If the plugin is not essential for business operations, it should be disabled and removed entirely to eliminate the attack surface.

Proactive Monitoring: Monitor file integrity on the web server for any unauthorized or unexpected file deletions. Review web server access logs for suspicious POST requests targeting the vulnerable 'font_upload_handler' function.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules to detect and block directory traversal patterns in request parameters. Ensure web server file permissions are configured with the principle of least privilege to limit the impact of an exploit.

Public Exploit Available: false

Given the high severity of this vulnerability and its potential to cause a complete denial of service, immediate action is critical. We strongly recommend all administrators prioritize applying the vendor-supplied update or disabling the affected plugin without delay. Failure to remediate exposes the web application to significant operational risk.