{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata ā€” refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/file-deletion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25308"}],"_cs_exploited":false,"_cs_products":["BuddyPress Xprofile Custom Fields Type"],"_cs_severities":["high"],"_cs_tags":["rce","file-deletion","wordpress"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their profile editing page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the profile update endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameters are manipulated to point to arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eThe server-side script processes the crafted POST request without proper sanitization or validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function or an equivalent file deletion function is called with the attacker-controlled file paths.\u003c/li\u003e\n\u003cli\u003eThe targeted files are deleted from the server file system.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameter values (reference the attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:26Z","date_published":"2026-04-29T20:16:26Z","id":"/briefs/2026-04-buddypress-rce/","summary":"CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.","title":"BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution via Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41383"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41383","directory-traversal","file-deletion","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker\u0026rsquo;s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the OpenClaw configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and/or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e configuration values to point to a target directory they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a mirror sync operation.\u003c/li\u003e\n\u003cli\u003eOpenClaw, using the attacker-controlled path, connects to the remote system.\u003c/li\u003e\n\u003cli\u003eOpenClaw deletes the contents of the directory specified by the modified \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw uploads the contents of the attacker\u0026rsquo;s local workspace to the now-empty remote directory, effectively replacing the original data.\u003c/li\u003e\n\u003cli\u003eThe targeted remote directory now contains the attacker\u0026rsquo;s data instead of the original contents.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw configuration files for unauthorized modifications to \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-directory-deletion/","summary":"OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.","title":"OpenClaw Arbitrary Directory Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-6832"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6832","path-traversal","file-deletion","webui"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHermes WebUI, a web-based user interface, contains an arbitrary file deletion vulnerability, tracked as CVE-2026-6832. The vulnerability resides in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint. An authenticated attacker can exploit this flaw by supplying a crafted \u003ccode\u003esession_id\u003c/code\u003e parameter containing an absolute path or path traversal sequences. This allows the attacker to bypass the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e boundary and delete arbitrary files on the server, provided the attacker has write access to those files. Versions prior to the patched version are affected. Successful exploitation leads to information integrity issues and potential denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to Hermes WebUI using valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003esession_id\u003c/code\u003e parameter with a path traversal payload (e.g., \u003ccode\u003e../../../../etc/passwd\u003c/code\u003e) or an absolute path to a target file.\u003c/li\u003e\n\u003cli\u003eThe Hermes WebUI application fails to properly validate the \u003ccode\u003esession_id\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path using the unvalidated \u003ccode\u003esession_id\u003c/code\u003e, allowing it to escape the intended \u003ccode\u003eSESSION_DIR\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, the target file is successfully deleted from the file system.\u003c/li\u003e\n\u003cli\u003eThe deletion of critical system or application files leads to a denial-of-service condition or other system instability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6832 allows authenticated attackers to delete arbitrary files on the system running Hermes WebUI. This can lead to data loss, application malfunction, or even complete system compromise if critical system files are deleted. The vulnerability affects all deployments of Hermes WebUI prior to the patched version, potentially impacting numerous organizations using the vulnerable software. While the exact number of victims is unknown, the severity of the vulnerability is high due to the potential for significant damage and disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Hermes WebUI to version v0.50.132 or later, where the vulnerability is patched, as referenced in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on the \u003ccode\u003esession_id\u003c/code\u003e parameter in the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect malicious requests to the \u003ccode\u003e/api/session/delete\u003c/code\u003e endpoint containing path traversal sequences.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to \u003ccode\u003e/api/session/delete\u003c/code\u003e with suspicious \u003ccode\u003esession_id\u003c/code\u003e values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-hermes-file-deletion/","summary":"Hermes WebUI is vulnerable to arbitrary file deletion via path traversal in the /api/session/delete endpoint due to insufficient validation of the session_id parameter, allowing authenticated attackers to delete writable JSON files on the host system.","title":"Hermes WebUI Arbitrary File Deletion Vulnerability (CVE-2026-6832)","url":"https://feed.craftedsignal.io/briefs/2026-04-hermes-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5478"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","cve-2026-5478"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin\u0026rsquo;s improper handling of the \u003ccode\u003eold_files\u003c/code\u003e parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the \u003ccode\u003eunlink()\u003c/code\u003e function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the \u0026ldquo;store entry information\u0026rdquo; feature disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eold_files\u003c/code\u003e parameter in the POST data, injecting a path traversal payload (e.g., \u003ccode\u003e../../../../wp-config.php\u003c/code\u003e) into its value.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the form submission, and the Everest Forms plugin extracts the \u003ccode\u003eold_files\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.\u003c/li\u003e\n\u003cli\u003eThe plugin attaches the resolved file (e.g., \u003ccode\u003e/var/www/wordpress/../../../../wp-config.php\u003c/code\u003e) to the notification email.\u003c/li\u003e\n\u003cli\u003eAfter sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function is called on the resolved path, leading to the deletion of the targeted file (e.g., \u003ccode\u003ewp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in \u003ccode\u003ewp-config.php\u003c/code\u003e. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Everest Forms Arbitrary File Read Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).\u003c/li\u003e\n\u003cli\u003eMonitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T20:35:20Z","date_published":"2026-04-20T20:35:20Z","id":"/briefs/2026-08-everest-forms-rfi-rce/","summary":"The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.","title":"Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-5966"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5966 describes an arbitrary file deletion vulnerability in TeamT5\u0026rsquo;s ThreatSonar Anti-Ransomware. The vulnerability allows authenticated remote attackers with web access to exploit a path traversal flaw. This means that an attacker who already has valid credentials to access the web interface of ThreatSonar Anti-Ransomware can craft malicious requests to delete files that the application user has access to, regardless of their intended purpose or location. The CVSS v3.1 score is 8.1, indicating a high severity. The vulnerable software is ThreatSonar Anti-Ransomware from TeamT5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to the ThreatSonar Anti-Ransomware web interface, likely through credential stuffing or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ThreatSonar Anti-Ransomware web application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an endpoint within the web application that handles file operations (e.g., backup, restore, quarantine).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to this endpoint containing a path traversal payload in a filename or filepath parameter (e.g., \u003ccode\u003e../../../../windows/system32/drivers/etc/hosts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web application processes the request without proper sanitization or validation of the file path.\u003c/li\u003e\n\u003cli\u003eThe application attempts to delete the file specified by the attacker-controlled path.\u003c/li\u003e\n\u003cli\u003eIf the application user has sufficient privileges, the arbitrary file is deleted from the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows authenticated attackers to delete arbitrary files on the system where ThreatSonar Anti-Ransomware is installed. This could lead to denial of service by deleting critical system files, data loss by deleting important data files, or potentially escalate privileges by deleting files used in privilege escalation techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to the latest version of ThreatSonar Anti-Ransomware as provided by TeamT5 to address CVE-2026-5966.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all file path parameters within the ThreatSonar Anti-Ransomware web application to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) in file-related parameters to detect potential exploitation attempts. Deploy the Sigma rule for webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement principle of least privilege and regularly audit user permissions in ThreatSonar Anti-Ransomware.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T08:16:11Z","date_published":"2026-04-20T08:16:11Z","id":"/briefs/2026-04-threatsonar-file-deletion/","summary":"TeamT5's ThreatSonar Anti-Ransomware is vulnerable to arbitrary file deletion via path traversal, allowing authenticated remote attackers with web access to delete arbitrary files on the system.","title":"ThreatSonar Anti-Ransomware Arbitrary File Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-threatsonar-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3464"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","file-read","file-deletion","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the \u0026lsquo;ajax_attach_file\u0026rsquo; function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting \u003ccode\u003ewp-config.php\u003c/code\u003e), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated file path, bypassing input validation.\u003c/li\u003e\n\u003cli\u003eThe plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.\u003c/li\u003e\n\u003cli\u003eIf reading, the contents of the targeted file are returned to the attacker in the HTTP response.\u003c/li\u003e\n\u003cli\u003eIf deleting, the targeted file is removed from the server.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a sensitive file, such as \u003ccode\u003ewp-config.php\u003c/code\u003e, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing suspicious file paths targeting the \u0026lsquo;ajax_attach_file\u0026rsquo; function (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement stricter file path validation on the web server to prevent arbitrary file access.\u003c/li\u003e\n\u003cli\u003eApply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T17:17:07Z","date_published":"2026-04-17T17:17:07Z","id":"/briefs/2026-04-wp-customer-area-file-read-delete/","summary":"The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.","title":"WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-31939"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path-traversal","file-deletion","chamilo-lms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to a path traversal vulnerability (CVE-2026-31939) affecting versions prior to 1.11.38. This vulnerability resides in the \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e script. The vulnerability arises because the application directly concatenates user-supplied input from the \u003ccode\u003e$_REQUEST['test']\u003c/code\u003e parameter into a filesystem path without proper sanitization, canonicalization, or traversal checks. This allows an attacker to manipulate the path and potentially delete arbitrary files on the server. Successful exploitation requires an authenticated user with access to the vulnerable functionality. Organizations using affected versions of Chamilo LMS are at risk of data loss and potential system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user accesses the \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e script within the Chamilo LMS application.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the value of the \u003ccode\u003etest\u003c/code\u003e parameter from the \u003ccode\u003e$_REQUEST\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eThe application concatenates this user-supplied value directly into a file system path without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe application then attempts to delete the file specified by the constructed path using a function such as \u003ccode\u003eunlink()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003etest\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) to navigate outside the intended directory.\u003c/li\u003e\n\u003cli\u003eThe application, without proper checks, uses the manipulated path to delete a file outside of the designated exercise directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes arbitrary files on the server, potentially including sensitive configuration files or other critical data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31939 allows an attacker to delete arbitrary files on the Chamilo LMS server. This can lead to data loss, system instability, and potential compromise of the entire system. The CVSS v3.1 score of 8.3 (HIGH) reflects the potential for significant impact, with confidentiality, integrity, and availability all being affected. The number of victims depends on the deployment size and user base of the affected Chamilo LMS instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-31939, as indicated in the advisory \u003ca href=\"https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38\"\u003ehttps://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied input, especially the \u003ccode\u003etest\u003c/code\u003e parameter in \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003emain/exercise/savescores.php\u003c/code\u003e containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e), using the provided Sigma rule as a guide.\u003c/li\u003e\n\u003cli\u003eImplement file system access controls to limit the permissions of the web server process to only the necessary directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-path-trav/","summary":"A path traversal vulnerability (CVE-2026-31939) in Chamilo LMS versions prior to 1.11.38 allows authenticated attackers to delete arbitrary files via unsanitized user input in the 'test' parameter of savescores.php.","title":"Chamilo LMS Path Traversal Vulnerability (CVE-2026-31939)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-path-trav/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-5809"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","file-deletion","plugin","CVE-2026-5809"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the \u003ccode\u003etopic_add()\u003c/code\u003e and \u003ccode\u003etopic_edit()\u003c/code\u003e action handlers. Specifically, the plugin improperly handles array values in the \u003ccode\u003e$_REQUEST\u003c/code\u003e data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with at least subscriber-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003etopic_add()\u003c/code\u003e or \u003ccode\u003etopic_edit()\u003c/code\u003e action handler.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker includes the \u003ccode\u003edata[body][fileurl]\u003c/code\u003e parameter containing the path to the file they wish to delete (e.g., \u003ccode\u003e/var/www/html/wp-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe wpForo plugin stores the attacker-supplied \u003ccode\u003efileurl\u003c/code\u003e value as postmeta associated with the forum topic without proper validation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another request, this time including the \u003ccode\u003ewpftcf_delete[]=body\u003c/code\u003e parameter, targeting the \u003ccode\u003etopic_edit\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eadd_file()\u003c/code\u003e method retrieves the poisoned \u003ccode\u003efileurl\u003c/code\u003e from the stored postmeta record.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to sanitize the path using \u003ccode\u003ewpforo_fix_upload_dir()\u003c/code\u003e, but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.\u003c/li\u003e\n\u003cli\u003eThe plugin calls \u003ccode\u003ewp_delete_file()\u003c/code\u003e on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as \u003ccode\u003ewp-config.php\u003c/code\u003e. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect wpForo Arbitrary File Deletion Attempt\u0026rdquo; to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.\u003c/li\u003e\n\u003cli\u003eImplement stricter file permission controls to limit the PHP process\u0026rsquo;s write access to only necessary directories and files.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing the \u003ccode\u003ewpftcf_delete\u003c/code\u003e parameter, as highlighted in the Attack Chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T08:16:05Z","date_published":"2026-04-11T08:16:05Z","id":"/briefs/2026-04-wpforo-file-deletion/","summary":"The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.","title":"wpForo Forum Plugin Arbitrary File Deletion Vulnerability (CVE-2026-5809)","url":"https://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","acl","file upload","file deletion","CVE-2026-40189"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by \u003ccode\u003e.goshs\u003c/code\u003e files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Goshs instance utilizing \u003ccode\u003e.goshs\u003c/code\u003e files for access control.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:18-60\u003c/code\u003e. Example: \u003ccode\u003ePUT /protected/put-created.txt\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends an unauthenticated multipart POST request to \u003ccode\u003e/upload\u003c/code\u003e endpoint to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:63-165\u003c/code\u003e. Example: \u003ccode\u003ePOST /protected/upload\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?mkdir\u003c/code\u003e parameter to create a directory within the protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/handler.go:901-937\u003c/code\u003e. Example: \u003ccode\u003e/?mkdir=new_directory\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?delete\u003c/code\u003e parameter targeting the \u003ccode\u003e.goshs\u003c/code\u003e file within the protected directory, leveraging the vulnerable route in \u003ccode\u003ehttpserver/handler.go:679-698\u003c/code\u003e. Example: \u003ccode\u003e/.goshs?delete\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe server deletes the \u003ccode\u003e.goshs\u003c/code\u003e file using \u003ccode\u003eos.RemoveAll()\u003c/code\u003e, effectively removing the access control restrictions for the directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the \u003ccode\u003e.goshs\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated .goshs Deletion\u0026rdquo; to your SIEM to detect attempts to remove \u003ccode\u003e.goshs\u003c/code\u003e ACL files via the \u003ccode\u003e?delete\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated PUT Request to Protected Directories\u0026rdquo; to detect unauthorized file uploads to protected directories.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT, POST, and DELETE requests targeting directories containing \u003ccode\u003e.goshs\u003c/code\u003e files to identify potential exploitation attempts. (Log Source: webserver)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:02:46Z","date_published":"2026-04-10T20:02:46Z","id":"/briefs/2026-04-goshs-acl-bypass/","summary":"Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.","title":"Goshs File-Based ACL Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","file-deletion","goshs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe goshs application, a simple static file server written in Go, is vulnerable to a path traversal vulnerability (CVE-2026-35471). This flaw exists within the \u003ccode\u003edeleteFile\u003c/code\u003e function (\u003ccode\u003ehttpserver/handler.go\u003c/code\u003e) due to a missing \u003ccode\u003ereturn\u003c/code\u003e statement after a check for path traversal attempts using \u003ccode\u003e..\u003c/code\u003e. Specifically, if a request contains double-encoded path traversal sequences (e.g., \u003ccode\u003e%252e%252e\u003c/code\u003e), the check fails to prevent subsequent file deletion. This vulnerability, present in versions prior to 1.1.5-0.20260401172448-237f3af891a9, allows an unauthenticated attacker to delete arbitrary files and directories on the server. The vulnerability affects default configurations of goshs, requiring no authentication or specific flags to be set.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a goshs instance running a vulnerable version (prior to 1.1.5-0.20260401172448-237f3af891a9).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a GET request to a file path containing double-encoded path traversal sequences (\u003ccode\u003e%252e%252e\u003c/code\u003e) to bypass the path traversal check in \u003ccode\u003edeleteFile()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GET request includes the \u003ccode\u003e?delete\u003c/code\u003e parameter to trigger the file deletion logic.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edeleteFile()\u003c/code\u003e function receives the request and decodes the path, but the missing \u003ccode\u003ereturn\u003c/code\u003e after the path traversal check allows the execution to continue.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eos.RemoveAll()\u003c/code\u003e function is called with the manipulated path, leading to the deletion of arbitrary files or directories outside the intended webroot.\u003c/li\u003e\n\u003cli\u003eThe server responds with HTTP status code 200, even if the file deletion was successful or resulted in an error.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the deletion of the targeted file/directory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an unauthenticated attacker to delete any file or directory accessible to the goshs process. This could lead to data loss, system instability, or complete compromise of the server if critical system files are deleted. While the exact number of vulnerable instances is unknown, any organization using goshs versions prior to 1.1.5-0.20260401172448-237f3af891a9 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to goshs version 1.1.5-0.20260401172448-237f3af891a9 or later to patch CVE-2026-35471.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect goshs Path Traversal Attempt via URL Encoding\u0026rdquo; to identify ongoing exploitation attempts based on double-encoded path traversal sequences in HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for GET requests containing double-encoded \u0026ldquo;..\u0026rdquo; sequences and the \u0026ldquo;?delete\u0026rdquo; parameter, indicative of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-goshs-path-traversal/","summary":"The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.","title":"goshs Unauthenticated Arbitrary File Deletion via Path Traversal","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4350"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4350","wordpress","perfmatters","file-deletion","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method\u0026rsquo;s failure to sanitize the \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter. This lack of validation allows for path traversal attacks using sequences like \u003ccode\u003e../\u003c/code\u003e, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003e, effectively disabling the website and potentially allowing a full site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;=2.5.9.1) of the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eAttacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the \u003ccode\u003edelete\u003c/code\u003e parameter with a path traversal payload. For example: \u003ccode\u003e?delete=../../../../wp-config.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method within the Perfmatters plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePMCS::action_handler()\u003c/code\u003e method processes the unsanitized \u003ccode\u003e$_GET['delete']\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin concatenates the malicious path with the storage directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function executes, deleting the file specified by the attacker\u0026rsquo;s path traversal payload.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully deletes \u003ccode\u003ewp-config.php\u003c/code\u003e, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is \u003ccode\u003ewp-config.php\u003c/code\u003e, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect Perfmatters Arbitrary File Deletion Attempt\u003c/code\u003e to identify potential exploitation attempts based on \u003ccode\u003ecs-uri-query\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting on requests to \u003ccode\u003ewp-admin/options.php\u003c/code\u003e to mitigate potential brute-force exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for unusual patterns in \u003ccode\u003ecs-uri-query\u003c/code\u003e parameters containing \u003ccode\u003e../\u003c/code\u003e sequences, as these may indicate path traversal attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T08:16:17Z","date_published":"2026-04-03T08:16:17Z","id":"/briefs/2026-04-perfmatters-file-deletion/","summary":"The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.","title":"Perfmatters WordPress Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4350)","url":"https://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-34790"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","path-traversal","file-deletion","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eEndian Firewall, a security-focused Linux distribution designed for gateway security, is vulnerable to a path traversal attack. Specifically, versions 3.3.25 and earlier are affected by CVE-2026-34790. An authenticated user, with low-level privileges, can exploit this vulnerability to delete arbitrary files on the system. The flaw resides in the \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e script where the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter is not properly sanitized. This allows an attacker to inject directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) into the file path, bypassing intended restrictions. This can lead to deletion of sensitive files, potentially disrupting system operations or facilitating further malicious activities. The vulnerability was reported in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Endian Firewall web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter with a payload containing directory traversal sequences (e.g., \u003ccode\u003e../../../../etc/shadow\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e script receives the request and constructs a file path using the unsanitized \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe script calls the \u003ccode\u003eunlink()\u003c/code\u003e function with the attacker-controlled file path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function deletes the file specified by the manipulated path.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process to delete other critical system files.\u003c/li\u003e\n\u003cli\u003eThis can lead to a denial-of-service condition, data loss, or the potential for further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to delete arbitrary files on the Endian Firewall system. This can result in a denial-of-service (DoS) condition if critical system files are removed. An attacker may target configuration files, logs, or even binaries, leading to system instability or the disabling of security features. The number of potential victims is dependent on the number of Endian Firewall deployments running vulnerable versions (3.3.25 and prior). Given that Endian Firewall is often used in small to medium-sized businesses, the impact could range from disruption of network services to potential data breaches, depending on the specific files targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a version of Endian Firewall that addresses CVE-2026-34790 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..\\\\\u003c/code\u003e) in the \u003ccode\u003eremove ARCHIVE\u003c/code\u003e parameter using the provided Sigma rule \u0026ldquo;Detect Endian Firewall Path Traversal Attempt\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied input, especially within CGI scripts like \u003ccode\u003e/cgi-bin/backup.cgi\u003c/code\u003e, to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eRestrict access to the Endian Firewall web interface to trusted networks or users and enforce strong authentication measures.\u003c/li\u003e\n\u003cli\u003eRegularly back up the Endian Firewall configuration and critical system files to mitigate the impact of potential data loss due to successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T15:16:42Z","date_published":"2026-04-02T15:16:42Z","id":"/briefs/2026-04-endian-traversal/","summary":"Endian Firewall versions 3.3.25 and prior allow authenticated users to delete arbitrary files due to a path traversal vulnerability in the `remove ARCHIVE` parameter of the `/cgi-bin/backup.cgi` script, leading to unauthorized file system modification.","title":"Endian Firewall Arbitrary File Deletion via Path Traversal (CVE-2026-34790)","url":"https://feed.craftedsignal.io/briefs/2026-04-endian-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","indicator-removal","file-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule detects the deletion of web server access logs, a common tactic used by attackers to cover their tracks and hinder forensic investigations. The deletion of these logs may indicate an attempt to evade detection or destroy forensic evidence on a system. This detection rule focuses on identifying deletion events in directories commonly used for web server logs, such as those used by Apache and IIS. The rule covers multiple operating systems, providing a broad detection capability. This is important for defenders because web server logs are critical for monitoring web traffic and identifying malicious activity. The rule is designed to detect activity on \u0026ldquo;auditbeat-\u003cem\u003e\u0026rdquo;, \u0026ldquo;winlogbeat-\u003c/em\u003e\u0026rdquo;, \u0026ldquo;logs-endpoint.events.\u003cem\u003e\u0026rdquo;, \u0026ldquo;logs-windows.sysmon_operational-\u003c/em\u003e\u0026rdquo; indices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a system hosting a web server, potentially through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the web server\u0026rsquo;s access logs. Common locations include \u003ccode\u003e/var/log/apache*/access.log\u003c/code\u003e and \u003ccode\u003eC:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a privileged account or escalates privileges to obtain the necessary permissions to delete the log files.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to delete the web server access logs. This could be done using \u003ccode\u003erm\u003c/code\u003e on Linux or \u003ccode\u003edel\u003c/code\u003e on Windows.\u003c/li\u003e\n\u003cli\u003eThe operating system records the file deletion event in its audit logs, which are monitored by security tools.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the deletion event based on the file path and event type.\u003c/li\u003e\n\u003cli\u003eThe security team is alerted to the potential intrusion and begins investigating the incident.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of web server access logs can significantly impede incident response and forensic investigations. Without these logs, it becomes difficult to determine the scope and impact of an attack, including identifying compromised accounts, exploited vulnerabilities, and stolen data. This can lead to delayed or ineffective remediation efforts, potentially resulting in further damage to the organization. The impact is particularly severe if the logs are deleted before suspicious activity is detected, as it removes valuable evidence needed for analysis.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e to your SIEM and tune for your environment to detect malicious log deletion attempts.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on web server log directories to detect unauthorized modifications or deletions.\u003c/li\u003e\n\u003cli\u003eReview and tighten access controls on web server log files to ensure only authorized personnel can modify or delete them.\u003c/li\u003e\n\u003cli\u003eImplement a robust log backup and retention policy to ensure that logs are available for forensic analysis even if they are deleted from the primary system.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e rule promptly to determine the root cause and extent of the compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:12:42Z","date_published":"2026-04-01T14:12:42Z","id":"/briefs/2026-04-websvr-log-deletion/","summary":"Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.","title":"WebServer Access Logs Deleted","url":"https://feed.craftedsignal.io/briefs/2026-04-websvr-log-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","wordpress","file-deletion","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe WP Job Portal plugin for WordPress versions up to and including 2.4.9 is susceptible to an arbitrary file deletion vulnerability (CVE-2026-4758). The vulnerability stems from insufficient file path validation within the \u003ccode\u003eWPJOBPORTALcustomfields::removeFileCustom\u003c/code\u003e function. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Successful exploitation allows attackers to delete critical files such as \u003ccode\u003ewp-config.php\u003c/code\u003eā€¦\u003c/p\u003e\n","date_modified":"2026-03-26T00:16:41Z","date_published":"2026-03-26T00:16:41Z","id":"/briefs/2026-03-wp-job-portal-file-deletion/","summary":"The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.","title":"WP Job Portal Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4758)","url":"https://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed ā€” File-Deletion","version":"https://jsonfeed.org/version/1.1"}