https://feed.craftedsignal.io/tags/file-deletion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/Wed, 29 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.BuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically field_hiddenfile and field_deleteimg, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.

Attack Chain

1. An attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.
2. The attacker navigates to their profile editing page.
3. The attacker crafts a malicious HTTP POST request to the profile update endpoint.
4. Within the POST request, the field_hiddenfile and field_deleteimg parameters are manipulated to point to arbitrary files on the server.
5. The server-side script processes the crafted POST request without proper sanitization or validation of the file paths.
6. The unlink() function or an equivalent file deletion function is called with the attacker-controlled file paths.
7. The targeted files are deleted from the server file system.
8. The attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.

Impact

Successful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.

Recommendation

• Apply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.
• Implement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.
• Monitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual field_hiddenfile and field_deleteimg parameter values (reference the attack chain).
• Deploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).

]]>highadvisoryrcefile-deletionwordpresshttps://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.OpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically remoteWorkspaceDir and remoteAgentWorkspaceDir, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker’s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.

Attack Chain

1. The attacker gains access to the OpenClaw configuration.
2. The attacker modifies the remoteWorkspaceDir and/or remoteAgentWorkspaceDir configuration values to point to a target directory they wish to delete.
3. The attacker initiates a mirror sync operation.
4. OpenClaw, using the attacker-controlled path, connects to the remote system.
5. OpenClaw deletes the contents of the directory specified by the modified remoteWorkspaceDir or remoteAgentWorkspaceDir.
6. OpenClaw uploads the contents of the attacker’s local workspace to the now-empty remote directory, effectively replacing the original data.
7. The targeted remote directory now contains the attacker’s data instead of the original contents.
8. The attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.

Impact

Successful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.

Recommendation

• Upgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.
• Monitor OpenClaw configuration files for unauthorized modifications to remoteWorkspaceDir and remoteAgentWorkspaceDir using a file integrity monitoring system.
• Implement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.
• Deploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.

]]>highadvisorycve-2026-41383directory-traversalfile-deletionopenclawhttps://feed.craftedsignal.io/briefs/2026-04-hermes-file-deletion/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-hermes-file-deletion/Hermes WebUI is vulnerable to arbitrary file deletion via path traversal in the /api/session/delete endpoint due to insufficient validation of the session_id parameter, allowing authenticated attackers to delete writable JSON files on the host system.Hermes WebUI, a web-based user interface, contains an arbitrary file deletion vulnerability, tracked as CVE-2026-6832. The vulnerability resides in the /api/session/delete endpoint. An authenticated attacker can exploit this flaw by supplying a crafted session_id parameter containing an absolute path or path traversal sequences. This allows the attacker to bypass the intended SESSION_DIR boundary and delete arbitrary files on the server, provided the attacker has write access to those files. Versions prior to the patched version are affected. Successful exploitation leads to information integrity issues and potential denial of service.

Attack Chain

1. Attacker authenticates to Hermes WebUI using valid credentials.
2. Attacker crafts a malicious HTTP POST request to the /api/session/delete endpoint.
3. The request includes a session_id parameter with a path traversal payload (e.g., ../../../../etc/passwd) or an absolute path to a target file.
4. The Hermes WebUI application fails to properly validate the session_id parameter.
5. The application constructs a file path using the unvalidated session_id, allowing it to escape the intended SESSION_DIR.
6. The application attempts to delete the file specified by the attacker-controlled path.
7. If the attacker has sufficient privileges, the target file is successfully deleted from the file system.
8. The deletion of critical system or application files leads to a denial-of-service condition or other system instability.

Impact

Successful exploitation of CVE-2026-6832 allows authenticated attackers to delete arbitrary files on the system running Hermes WebUI. This can lead to data loss, application malfunction, or even complete system compromise if critical system files are deleted. The vulnerability affects all deployments of Hermes WebUI prior to the patched version, potentially impacting numerous organizations using the vulnerable software. While the exact number of victims is unknown, the severity of the vulnerability is high due to the potential for significant damage and disruption.

Recommendation

• Upgrade Hermes WebUI to version v0.50.132 or later, where the vulnerability is patched, as referenced in the advisory.
• Implement strict input validation on the session_id parameter in the /api/session/delete endpoint to prevent path traversal attacks.
• Deploy the provided Sigma rule to detect malicious requests to the /api/session/delete endpoint containing path traversal sequences.
• Monitor web server logs for HTTP requests to /api/session/delete with suspicious session_id values.

]]>highadvisorycve-2026-6832path-traversalfile-deletionwebuihttps://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/Mon, 20 Apr 2026 20:35:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-08-everest-forms-rfi-rce/The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.The Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin’s improper handling of the old_files parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like wp-config.php, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the unlink() function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the “store entry information” feature disabled.

Attack Chain

1. An unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.
2. The attacker includes the old_files parameter in the POST data, injecting a path traversal payload (e.g., ../../../../wp-config.php) into its value.
3. The WordPress application processes the form submission, and the Everest Forms plugin extracts the old_files parameter.
4. The plugin’s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.
5. The plugin attaches the resolved file (e.g., /var/www/wordpress/../../../../wp-config.php) to the notification email.
6. After sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.
7. The unlink() function is called on the resolved path, leading to the deletion of the targeted file (e.g., wp-config.php).
8. The attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.

Impact

Successful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in wp-config.php. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.

Recommendation

• Immediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.
• Deploy the Sigma rule “Detect Everest Forms Arbitrary File Read Attempt” to identify potential exploitation attempts in web server logs.
• Enable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).
• Monitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).
• Implement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.

]]>criticaladvisorywordpresspluginfile-readfile-deletioncve-2026-5478https://feed.craftedsignal.io/briefs/2026-04-threatsonar-file-deletion/Mon, 20 Apr 2026 08:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-threatsonar-file-deletion/TeamT5's ThreatSonar Anti-Ransomware is vulnerable to arbitrary file deletion via path traversal, allowing authenticated remote attackers with web access to delete arbitrary files on the system.CVE-2026-5966 describes an arbitrary file deletion vulnerability in TeamT5’s ThreatSonar Anti-Ransomware. The vulnerability allows authenticated remote attackers with web access to exploit a path traversal flaw. This means that an attacker who already has valid credentials to access the web interface of ThreatSonar Anti-Ransomware can craft malicious requests to delete files that the application user has access to, regardless of their intended purpose or location. The CVSS v3.1 score is 8.1, indicating a high severity. The vulnerable software is ThreatSonar Anti-Ransomware from TeamT5.

Attack Chain

1. An attacker gains valid credentials to the ThreatSonar Anti-Ransomware web interface, likely through credential stuffing or phishing.
2. The attacker authenticates to the ThreatSonar Anti-Ransomware web application.
3. The attacker identifies an endpoint within the web application that handles file operations (e.g., backup, restore, quarantine).
4. The attacker crafts a malicious HTTP request to this endpoint containing a path traversal payload in a filename or filepath parameter (e.g., ../../../../windows/system32/drivers/etc/hosts).
5. The web application processes the request without proper sanitization or validation of the file path.
6. The application attempts to delete the file specified by the attacker-controlled path.
7. If the application user has sufficient privileges, the arbitrary file is deleted from the system.

Impact

Successful exploitation of this vulnerability allows authenticated attackers to delete arbitrary files on the system where ThreatSonar Anti-Ransomware is installed. This could lead to denial of service by deleting critical system files, data loss by deleting important data files, or potentially escalate privileges by deleting files used in privilege escalation techniques.

Recommendation

• Apply the patch or upgrade to the latest version of ThreatSonar Anti-Ransomware as provided by TeamT5 to address CVE-2026-5966.
• Implement input validation and sanitization on all file path parameters within the ThreatSonar Anti-Ransomware web application to prevent path traversal attacks.
• Monitor web server logs for suspicious requests containing path traversal sequences (e.g., ../, ..\\) in file-related parameters to detect potential exploitation attempts. Deploy the Sigma rule for webserver logs.
• Implement principle of least privilege and regularly audit user permissions in ThreatSonar Anti-Ransomware.

]]>highadvisoryvulnerabilityfile-deletionpath-traversalhttps://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/Fri, 17 Apr 2026 17:17:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wp-customer-area-file-read-delete/The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.The WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the ‘ajax_attach_file’ function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting wp-config.php), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.

Attack Chain

1. An attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).
2. The attacker crafts a malicious HTTP request targeting the ‘ajax_attach_file’ function.
3. The crafted request includes a manipulated file path, bypassing input validation.
4. The plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.
5. If reading, the contents of the targeted file are returned to the attacker in the HTTP response.
6. If deleting, the targeted file is removed from the server.
7. If the attacker targets a sensitive file, such as wp-config.php, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.
8. The attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.

Impact

Successful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.

Recommendation

• Upgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.
• Monitor web server logs for requests containing suspicious file paths targeting the ‘ajax_attach_file’ function (see Sigma rule below).
• Implement stricter file path validation on the web server to prevent arbitrary file access.
• Apply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.

]]>criticaladvisorywordpresspluginfile-readfile-deletionrcehttps://feed.craftedsignal.io/briefs/2026-04-chamilo-path-trav/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-path-trav/A path traversal vulnerability (CVE-2026-31939) in Chamilo LMS versions prior to 1.11.38 allows authenticated attackers to delete arbitrary files via unsanitized user input in the 'test' parameter of savescores.php.Chamilo LMS, a learning management system, is vulnerable to a path traversal vulnerability (CVE-2026-31939) affecting versions prior to 1.11.38. This vulnerability resides in the main/exercise/savescores.php script. The vulnerability arises because the application directly concatenates user-supplied input from the $_REQUEST['test'] parameter into a filesystem path without proper sanitization, canonicalization, or traversal checks. This allows an attacker to manipulate the path and potentially delete arbitrary files on the server. Successful exploitation requires an authenticated user with access to the vulnerable functionality. Organizations using affected versions of Chamilo LMS are at risk of data loss and potential system compromise.

Attack Chain

1. An authenticated user accesses the main/exercise/savescores.php script within the Chamilo LMS application.
2. The application retrieves the value of the test parameter from the $_REQUEST array.
3. The application concatenates this user-supplied value directly into a file system path without proper sanitization or validation.
4. The application then attempts to delete the file specified by the constructed path using a function such as unlink().
5. An attacker crafts a malicious test parameter containing path traversal sequences (e.g., ../../) to navigate outside the intended directory.
6. The application, without proper checks, uses the manipulated path to delete a file outside of the designated exercise directory.
7. The attacker successfully deletes arbitrary files on the server, potentially including sensitive configuration files or other critical data.

Impact

Successful exploitation of CVE-2026-31939 allows an attacker to delete arbitrary files on the Chamilo LMS server. This can lead to data loss, system instability, and potential compromise of the entire system. The CVSS v3.1 score of 8.3 (HIGH) reflects the potential for significant impact, with confidentiality, integrity, and availability all being affected. The number of victims depends on the deployment size and user base of the affected Chamilo LMS instances.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-31939, as indicated in the advisory https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38.
• Implement input validation and sanitization on all user-supplied input, especially the test parameter in main/exercise/savescores.php, to prevent path traversal attacks.
• Monitor web server logs for suspicious requests to main/exercise/savescores.php containing path traversal sequences (e.g., ../, ..\\), using the provided Sigma rule as a guide.
• Implement file system access controls to limit the permissions of the web server process to only the necessary directories.

]]>highadvisorypath-traversalfile-deletionchamilo-lmshttps://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/Sat, 11 Apr 2026 08:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wpforo-file-deletion/The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.The wpForo Forum plugin, a popular WordPress plugin, is susceptible to an arbitrary file deletion vulnerability (CVE-2026-5809) affecting versions up to and including 3.0.2. The vulnerability stems from insufficient validation of user-supplied data within the topic_add() and topic_edit() action handlers. Specifically, the plugin improperly handles array values in the $_REQUEST data, storing them as postmeta without proper filtering. An authenticated attacker (subscriber-level or higher) can exploit this by injecting a malicious file path into the data[body][fileurl] parameter. This injected path is subsequently used in a file deletion function without adequate sanitization, leading to potential deletion of critical system files. This vulnerability allows attackers to potentially cripple the WordPress installation or gain further access to the server.

Attack Chain

1. An attacker authenticates to the WordPress site with at least subscriber-level privileges.
2. The attacker crafts a malicious HTTP request targeting the topic_add() or topic_edit() action handler.
3. Within the request, the attacker includes the data[body][fileurl] parameter containing the path to the file they wish to delete (e.g., /var/www/html/wp-config.php).
4. The wpForo plugin stores the attacker-supplied fileurl value as postmeta associated with the forum topic without proper validation.
5. The attacker crafts another request, this time including the wpftcf_delete[]=body parameter, targeting the topic_edit action.
6. The add_file() method retrieves the poisoned fileurl from the stored postmeta record.
7. The plugin attempts to sanitize the path using wpforo_fix_upload_dir(), but this function only modifies paths within the legitimate wpForo upload directory, leaving other paths untouched.
8. The plugin calls wp_delete_file() on the unsanitized path, resulting in the deletion of the targeted file if the PHP process has write permissions.

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to delete arbitrary files on the server, provided the PHP process has the necessary write permissions. This can lead to a denial of service by deleting core WordPress files or configuration files such as wp-config.php. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high severity. This could lead to complete compromise of the WordPress installation and potential further exploitation of the server.

Recommendation

• Upgrade the wpForo Forum plugin to a version higher than 3.0.2 to patch CVE-2026-5809.
• Deploy the Sigma rule “Detect wpForo Arbitrary File Deletion Attempt” to your SIEM to detect potential exploitation attempts by monitoring HTTP requests to WordPress.
• Implement stricter file permission controls to limit the PHP process’s write access to only necessary directories and files.
• Monitor web server logs for suspicious POST requests containing the wpftcf_delete parameter, as highlighted in the Attack Chain.

]]>criticaladvisorywordpressfile-deletionpluginCVE-2026-5809https://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/Fri, 10 Apr 2026 20:02:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.The Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by .goshs files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the .goshs file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.

Attack Chain

1. The attacker identifies a Goshs instance utilizing .goshs files for access control.
2. The attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:18-60. Example: PUT /protected/put-created.txt
3. Alternatively, the attacker sends an unauthenticated multipart POST request to /upload endpoint to upload a file to a protected directory, bypassing ACL checks via httpserver/updown.go:63-165. Example: POST /protected/upload
4. The attacker sends an unauthenticated request with the ?mkdir parameter to create a directory within the protected directory, bypassing ACL checks via httpserver/handler.go:901-937. Example: /?mkdir=new_directory
5. The attacker sends an unauthenticated request with the ?delete parameter targeting the .goshs file within the protected directory, leveraging the vulnerable route in httpserver/handler.go:679-698. Example: /.goshs?delete
6. The server deletes the .goshs file using os.RemoveAll(), effectively removing the access control restrictions for the directory.
7. The attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the .goshs file.
8. The attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the .goshs file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.

Recommendation

• Apply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.
• Deploy the Sigma rule “Detect Goshs Unauthenticated .goshs Deletion” to your SIEM to detect attempts to remove .goshs ACL files via the ?delete parameter.
• Deploy the Sigma rule “Detect Goshs Unauthenticated PUT Request to Protected Directories” to detect unauthorized file uploads to protected directories.
• Monitor web server logs for PUT, POST, and DELETE requests targeting directories containing .goshs files to identify potential exploitation attempts. (Log Source: webserver)

]]>criticaladvisoryauthorization bypassaclfile uploadfile deletionCVE-2026-40189https://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/Sat, 04 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-goshs-path-traversal/The goshs application is vulnerable to unauthenticated path traversal (CVE-2026-35471) due to a missing return statement in the `deleteFile()` function, allowing attackers to delete arbitrary files and directories using a crafted GET request.The goshs application, a simple static file server written in Go, is vulnerable to a path traversal vulnerability (CVE-2026-35471). This flaw exists within the deleteFile function (httpserver/handler.go) due to a missing return statement after a check for path traversal attempts using ... Specifically, if a request contains double-encoded path traversal sequences (e.g., %252e%252e), the check fails to prevent subsequent file deletion. This vulnerability, present in versions prior to 1.1.5-0.20260401172448-237f3af891a9, allows an unauthenticated attacker to delete arbitrary files and directories on the server. The vulnerability affects default configurations of goshs, requiring no authentication or specific flags to be set.

Attack Chain

1. The attacker identifies a goshs instance running a vulnerable version (prior to 1.1.5-0.20260401172448-237f3af891a9).
2. The attacker crafts a GET request to a file path containing double-encoded path traversal sequences (%252e%252e) to bypass the path traversal check in deleteFile().
3. The GET request includes the ?delete parameter to trigger the file deletion logic.
4. The deleteFile() function receives the request and decodes the path, but the missing return after the path traversal check allows the execution to continue.
5. The os.RemoveAll() function is called with the manipulated path, leading to the deletion of arbitrary files or directories outside the intended webroot.
6. The server responds with HTTP status code 200, even if the file deletion was successful or resulted in an error.
7. The attacker verifies the deletion of the targeted file/directory.

Impact

Successful exploitation of this path traversal vulnerability allows an unauthenticated attacker to delete any file or directory accessible to the goshs process. This could lead to data loss, system instability, or complete compromise of the server if critical system files are deleted. While the exact number of vulnerable instances is unknown, any organization using goshs versions prior to 1.1.5-0.20260401172448-237f3af891a9 is at risk.

Recommendation

• Upgrade to goshs version 1.1.5-0.20260401172448-237f3af891a9 or later to patch CVE-2026-35471.
• Deploy the Sigma rule “Detect goshs Path Traversal Attempt via URL Encoding” to identify ongoing exploitation attempts based on double-encoded path traversal sequences in HTTP requests.
• Monitor web server logs for GET requests containing double-encoded “..” sequences and the “?delete” parameter, indicative of exploitation attempts.

]]>criticaladvisorypath-traversalfile-deletiongoshshttps://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/Fri, 03 Apr 2026 08:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-perfmatters-file-deletion/The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.The Perfmatters plugin, a popular WordPress performance optimization tool, contains a critical vulnerability (CVE-2026-4350) affecting versions up to and including 2.5.9.1. This flaw enables authenticated attackers with Subscriber-level access, the lowest privilege level in WordPress, to delete arbitrary files on the server. The vulnerability stems from the PMCS::action_handler() method’s failure to sanitize the $_GET['delete'] parameter. This lack of validation allows for path traversal attacks using sequences like ../, enabling attackers to navigate outside the intended storage directory and delete any accessible file. Successful exploitation can lead to the deletion of critical files such as wp-config.php, effectively disabling the website and potentially allowing a full site takeover.

Attack Chain

1. Attacker identifies a WordPress site using a vulnerable version (<=2.5.9.1) of the Perfmatters plugin.
2. Attacker gains Subscriber-level access to the WordPress site. This can be achieved through registration or compromised credentials.
3. Attacker crafts a malicious HTTP GET request targeting the WordPress site. The request includes the delete parameter with a path traversal payload. For example: ?delete=../../../../wp-config.php.
4. The request is sent to the PMCS::action_handler() method within the Perfmatters plugin.
5. The PMCS::action_handler() method processes the unsanitized $_GET['delete'] parameter.
6. The plugin concatenates the malicious path with the storage directory.
7. The unlink() function executes, deleting the file specified by the attacker’s path traversal payload.
8. If the attacker successfully deletes wp-config.php, the WordPress site becomes inaccessible and redirects to the installation wizard, potentially allowing for complete site takeover.

Impact

Successful exploitation of CVE-2026-4350 allows attackers to delete arbitrary files on a vulnerable WordPress server. A key target is wp-config.php, which contains sensitive database credentials. Deleting this file forces WordPress into the installation wizard, potentially leading to a full site takeover. The impact ranges from defacement and data loss to complete control of the website, impacting businesses, organizations, and individuals relying on WordPress for their online presence. The ease of exploitation due to the low privilege requirements makes this a high-risk vulnerability.

Recommendation

• Immediately update the Perfmatters plugin to the latest version to patch CVE-2026-4350.
• Implement the provided Sigma rule Detect Perfmatters Arbitrary File Deletion Attempt to identify potential exploitation attempts based on cs-uri-query in web server logs.
• Consider implementing rate limiting on requests to wp-admin/options.php to mitigate potential brute-force exploitation attempts targeting this vulnerability.
• Review web server access logs for unusual patterns in cs-uri-query parameters containing ../ sequences, as these may indicate path traversal attempts.

]]>criticaladvisorycve-2026-4350wordpressperfmattersfile-deletionpath-traversalhttps://feed.craftedsignal.io/briefs/2026-04-endian-traversal/Thu, 02 Apr 2026 15:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-endian-traversal/Endian Firewall versions 3.3.25 and prior allow authenticated users to delete arbitrary files due to a path traversal vulnerability in the `remove ARCHIVE` parameter of the `/cgi-bin/backup.cgi` script, leading to unauthorized file system modification.Endian Firewall, a security-focused Linux distribution designed for gateway security, is vulnerable to a path traversal attack. Specifically, versions 3.3.25 and earlier are affected by CVE-2026-34790. An authenticated user, with low-level privileges, can exploit this vulnerability to delete arbitrary files on the system. The flaw resides in the /cgi-bin/backup.cgi script where the remove ARCHIVE parameter is not properly sanitized. This allows an attacker to inject directory traversal sequences (e.g., ../) into the file path, bypassing intended restrictions. This can lead to deletion of sensitive files, potentially disrupting system operations or facilitating further malicious activities. The vulnerability was reported in April 2026.

Attack Chain

1. An attacker authenticates to the Endian Firewall web interface.
2. The attacker crafts a malicious HTTP request targeting /cgi-bin/backup.cgi.
3. The request includes the remove ARCHIVE parameter with a payload containing directory traversal sequences (e.g., ../../../../etc/shadow).
4. The /cgi-bin/backup.cgi script receives the request and constructs a file path using the unsanitized remove ARCHIVE parameter.
5. The script calls the unlink() function with the attacker-controlled file path.
6. The unlink() function deletes the file specified by the manipulated path.
7. The attacker repeats this process to delete other critical system files.
8. This can lead to a denial-of-service condition, data loss, or the potential for further system compromise.

Impact

Successful exploitation of this vulnerability allows an attacker to delete arbitrary files on the Endian Firewall system. This can result in a denial-of-service (DoS) condition if critical system files are removed. An attacker may target configuration files, logs, or even binaries, leading to system instability or the disabling of security features. The number of potential victims is dependent on the number of Endian Firewall deployments running vulnerable versions (3.3.25 and prior). Given that Endian Firewall is often used in small to medium-sized businesses, the impact could range from disruption of network services to potential data breaches, depending on the specific files targeted.

Recommendation

• Apply available patches or upgrade to a version of Endian Firewall that addresses CVE-2026-34790 to remediate the vulnerability.
• Monitor web server logs for requests to /cgi-bin/backup.cgi containing directory traversal sequences (e.g., ../, ..\\) in the remove ARCHIVE parameter using the provided Sigma rule “Detect Endian Firewall Path Traversal Attempt”.
• Implement input validation and sanitization on all user-supplied input, especially within CGI scripts like /cgi-bin/backup.cgi, to prevent path traversal attacks.
• Restrict access to the Endian Firewall web interface to trusted networks or users and enforce strong authentication measures.
• Regularly back up the Endian Firewall configuration and critical system files to mitigate the impact of potential data loss due to successful exploitation.

]]>highadvisorycvepath-traversalfile-deletionweb-applicationhttps://feed.craftedsignal.io/briefs/2026-04-websvr-log-deletion/Wed, 01 Apr 2026 14:12:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-websvr-log-deletion/Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.This rule detects the deletion of web server access logs, a common tactic used by attackers to cover their tracks and hinder forensic investigations. The deletion of these logs may indicate an attempt to evade detection or destroy forensic evidence on a system. This detection rule focuses on identifying deletion events in directories commonly used for web server logs, such as those used by Apache and IIS. The rule covers multiple operating systems, providing a broad detection capability. This is important for defenders because web server logs are critical for monitoring web traffic and identifying malicious activity. The rule is designed to detect activity on “auditbeat-”, “winlogbeat-”, “logs-endpoint.events.”, “logs-windows.sysmon_operational-” indices.

Attack Chain

1. An attacker gains unauthorized access to a system hosting a web server, potentially through exploiting a vulnerability or using stolen credentials.
2. The attacker identifies the location of the web server’s access logs. Common locations include /var/log/apache*/access.log and C:\\inetpub\\logs\\LogFiles\\*.log.
3. The attacker uses a privileged account or escalates privileges to obtain the necessary permissions to delete the log files.
4. The attacker executes a command to delete the web server access logs. This could be done using rm on Linux or del on Windows.
5. The operating system records the file deletion event in its audit logs, which are monitored by security tools.
6. The detection rule identifies the deletion event based on the file path and event type.
7. The security team is alerted to the potential intrusion and begins investigating the incident.

Impact

The deletion of web server access logs can significantly impede incident response and forensic investigations. Without these logs, it becomes difficult to determine the scope and impact of an attack, including identifying compromised accounts, exploited vulnerabilities, and stolen data. This can lead to delayed or ineffective remediation efforts, potentially resulting in further damage to the organization. The impact is particularly severe if the logs are deleted before suspicious activity is detected, as it removes valuable evidence needed for analysis.

Recommendation

• Deploy the Sigma rule WebServer Access Logs Deleted to your SIEM and tune for your environment to detect malicious log deletion attempts.
• Enable file integrity monitoring (FIM) on web server log directories to detect unauthorized modifications or deletions.
• Review and tighten access controls on web server log files to ensure only authorized personnel can modify or delete them.
• Implement a robust log backup and retention policy to ensure that logs are available for forensic analysis even if they are deleted from the primary system.
• Investigate any alerts generated by the WebServer Access Logs Deleted rule promptly to determine the root cause and extent of the compromise.

]]>mediumadvisorydefense-evasionindicator-removalfile-deletionhttps://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-file-deletion/Thu, 26 Mar 2026 00:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-wp-job-portal-file-deletion/The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.The WP Job Portal plugin for WordPress versions up to and including 2.4.9 is susceptible to an arbitrary file deletion vulnerability (CVE-2026-4758). The vulnerability stems from insufficient file path validation within the WPJOBPORTALcustomfields::removeFileCustom function. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Successful exploitation allows attackers to delete critical files such as wp-config.php…

]]>criticaladvisorycvewordpressfile-deletionremote-code-execution