A high-severity vulnerability has been identified in the Wptobe-memberships plugin for WordPress, which could allow an attacker to delete arbitrary files from the web server. Successful exploitation of this vulnerability could lead to a complete website outage, data loss, or server instability. Organizations using this plugin are urged to take immediate action to prevent potential disruption to their web services.

The vulnerability exists within the del_img_ajax_call() function of the Wptobe-memberships plugin. This function fails to properly validate the file path provided by the user, a weakness known as Path Traversal. An authenticated attacker can send a specially crafted request to this function containing directory traversal sequences (e.g., ../../..) to target and delete critical files outside of the intended directory, such as wp-config.php or other essential system files.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on business operations. An attacker could delete core WordPress files, causing a complete denial of service and taking the website offline. The deletion of configuration files, themes, or other plugins could result in data loss and require extensive effort to restore from backups. This can lead to financial losses due to downtime, damage to the organization's reputation, and a loss of customer trust.

Immediate Action:

• Immediately update the Wptobe-memberships plugin to the latest version available from the vendor, which addresses this vulnerability.
• If an update is not available or the plugin is no longer essential for business operations, disable and completely remove the plugin from the WordPress installation.
• Review WordPress file and directory permissions to ensure the web server process has the minimum necessary privileges, limiting its ability to modify or delete critical files.

Proactive Monitoring:

• Monitor web server access logs for suspicious POST requests to WordPress AJAX endpoints, specifically looking for requests targeting the del_img_ajax_call action that contain path traversal characters (../).
• Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized or unexpected deletion of critical files within the webroot and other sensitive server directories.
• Review server logs for any file deletion errors or unexpected 404 errors that could indicate core files are missing.

Compensating Controls:

• If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) with rules designed to detect and block path traversal attempts in web requests.
• Enforce strict file system permissions to prevent the web server's user account from deleting files outside of its designated directories (e.g., the uploads folder).
• Ensure regular, automated backups of the entire WordPress installation (files and database) are being performed and that the restoration process is tested.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of arbitrary file deletion, we strongly recommend that organizations treat this vulnerability with high priority. Although it is not currently listed on the CISA KEV list, the risk of a denial-of-service attack is significant. All administrators should immediately identify installations of the Wptobe-memberships plugin and apply the necessary updates or remove the plugin entirely to mitigate this risk.