A high-severity vulnerability has been identified in the NinjaScanner plugin for WordPress. This flaw allows a low-privileged attacker to delete arbitrary files on the server, which could lead to a complete website outage, data loss, or be used to cover up other malicious activities. Organizations using this plugin are at significant risk of service disruption and should take immediate action.

The vulnerability exists within the nscan_ajax_quarantine and nscan_quarantine_select functions of the NinjaScanner plugin. These functions fail to properly sanitize or validate the file path input provided by a user. An authenticated attacker, even with low privileges, can craft a malicious request containing path traversal sequences (e.g., ../../..) to target and delete critical files outside of the intended quarantine directory, such as wp-config.php or other core application files on the web server.

This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a severe impact on business operations. An attacker could intentionally delete critical WordPress core files, configuration files, or database connection files, resulting in a complete Denial of Service (DoS) and making the website entirely inaccessible. This can lead to reputational damage, loss of customer trust, and direct financial loss from website downtime. Furthermore, an attacker could use this capability to delete security logs or other plugins, hindering forensic investigation and concealing a broader compromise.

Immediate Action:

• Immediately update the NinjaScanner – Virus & Malware scan plugin to the latest available version (greater than version 3) which contains the security patch for this vulnerability.
• If the plugin is not business-critical or is no longer needed, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.
• Review WordPress file and directory permissions to ensure the web server process has the minimum necessary privileges, restricting its ability to write or delete files outside of required directories.

Proactive Monitoring:

• Monitor web server access logs for suspicious POST requests to /wp-admin/admin-ajax.php with the actions nscan_ajax_quarantine or nscan_quarantine_select that contain unusual file paths or path traversal characters (../).
• Implement a File Integrity Monitoring (FIM) solution to detect and alert on unauthorized changes or deletions to critical WordPress files, including wp-config.php, .htaccess, and files within the wp-admin and wp-includes directories.

Compensating Controls:

• If immediate patching is not feasible, disable the NinjaScanner plugin until it can be safely updated. This is the most effective temporary control.
• Configure a Web Application Firewall (WAF) to inspect and block requests containing path traversal payloads targeting the WordPress AJAX endpoint, specifically for the vulnerable actions.
• Ensure regular, automated backups of the entire WordPress installation (files and database) are being performed and are stored securely off-site to enable rapid recovery in the event of a compromise.

Public Exploit Available: False

Given the high severity of this vulnerability and its potential for causing a complete site outage, immediate remediation is strongly recommended. The primary course of action should be to apply the security update provided by the vendor across all websites using the affected plugin. Due to the high likelihood of future exploitation, organizations should not delay patching. If the plugin's functionality is not essential, removing it entirely is the most secure option to reduce the overall attack surface.