File-Read — CraftedSignal Threat Feed

Everest Forms Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Mon, 20 Apr 2026 20:35:20 +0000

The Everest Forms plugin for WordPress, versions 3.4.4 and earlier, contains an arbitrary file read and deletion vulnerability (CVE-2026-5478). This flaw stems from the plugin’s improper handling of the old_files parameter within form submissions. Specifically, the plugin trusts attacker-controlled data as legitimate server-side upload state and insecurely converts URLs into local filesystem paths without adequate sanitization. This lack of input validation enables unauthenticated attackers to inject path traversal sequences, leading to the disclosure of sensitive files like wp-config.php, which contains database credentials and authentication salts. Furthermore, the flawed path resolution is utilized in a post-email cleanup routine, resulting in arbitrary file deletion via the unlink() function, potentially causing a denial-of-service condition. Successful exploitation requires a form with a file-upload or image-upload field and the “store entry information” feature disabled.

Attack Chain

An unauthenticated attacker crafts a malicious HTTP POST request to a WordPress page containing an Everest Forms form with a file upload field.
The attacker includes the old_files parameter in the POST data, injecting a path traversal payload (e.g., ../../../../wp-config.php) into its value.
The WordPress application processes the form submission, and the Everest Forms plugin extracts the old_files parameter.
The plugin’s flawed logic converts the attacker-supplied URL into a local file system path using regex-based string replacement without canonicalization or directory boundary enforcement.
The plugin attaches the resolved file (e.g., /var/www/wordpress/../../../../wp-config.php) to the notification email.
After sending the notification email, the post-email cleanup routine utilizes the same flawed path resolution to determine the file to delete.
The unlink() function is called on the resolved path, leading to the deletion of the targeted file (e.g., wp-config.php).
The attacker gains access to sensitive information (database credentials, salts) or causes a denial of service by deleting critical system files.

Impact

Successful exploitation of CVE-2026-5478 allows unauthenticated attackers to read arbitrary files on the WordPress server, potentially exposing sensitive information like database credentials and authentication salts stored in wp-config.php. This could lead to full site compromise, including data theft, defacement, or further malicious activities. Furthermore, the ability to delete arbitrary files enables attackers to cause a denial-of-service condition by removing critical system or application files. The impact is significant as it affects all versions of the Everest Forms plugin up to and including 3.4.4.

Recommendation

Immediately update the Everest Forms plugin to a version higher than 3.4.4 to patch CVE-2026-5478.
Deploy the Sigma rule “Detect Everest Forms Arbitrary File Read Attempt” to identify potential exploitation attempts in web server logs.
Enable web server logging to capture HTTP POST requests, which are crucial for detecting path traversal attempts (cs-uri-query, cs-method in webserver logs).
Monitor file deletion events on the WordPress server, especially those initiated by the web server user, using a file integrity monitoring (FIM) solution (file_event logs).
Implement input validation and sanitization for all user-supplied data, especially file paths, to prevent path traversal vulnerabilities.

WP Customer Area Plugin Arbitrary File Read and Deletion Vulnerability

hello@craftedsignal.io — Fri, 17 Apr 2026 17:17:07 +0000

The WP Customer Area plugin, a popular WordPress plugin, is susceptible to an arbitrary file read and deletion vulnerability. This flaw, identified as CVE-2026-3464, resides within the ‘ajax_attach_file’ function and stems from inadequate file path validation. All versions of the plugin up to and including 8.3.4 are affected. The vulnerability enables authenticated attackers with minimal privileges (e.g., Subscriber), granted access by an administrator, to read arbitrary files on the server, potentially exposing sensitive data. Attackers can also delete arbitrary files, which, in certain cases (such as deleting wp-config.php), can pave the way for remote code execution. This vulnerability poses a significant risk to WordPress websites utilizing the WP Customer Area plugin.

Attack Chain

An attacker gains authenticated access to a WordPress site with the WP Customer Area plugin enabled, with privileges granted by an administrator (e.g., as a Subscriber).
The attacker crafts a malicious HTTP request targeting the ‘ajax_attach_file’ function.
The crafted request includes a manipulated file path, bypassing input validation.
The plugin, failing to properly sanitize the file path, attempts to read or delete the file specified in the malicious request.
If reading, the contents of the targeted file are returned to the attacker in the HTTP response.
If deleting, the targeted file is removed from the server.
If the attacker targets a sensitive file, such as wp-config.php, and successfully deletes it, the WordPress installation becomes unstable and potentially allows for re-installation and control by the attacker.
The attacker exploits the instability to achieve remote code execution, potentially installing a web shell or other malicious code.

Impact

Successful exploitation of this vulnerability (CVE-2026-3464) allows attackers to read sensitive files, potentially including database credentials, API keys, and other confidential information. Moreover, the ability to delete arbitrary files can lead to denial-of-service conditions or, more critically, remote code execution. The number of affected websites is potentially large, given the popularity of the WP Customer Area plugin. A successful attack can result in complete compromise of the WordPress website and its underlying server.

Recommendation

Upgrade the WP Customer Area plugin to a version greater than 8.3.4 to patch CVE-2026-3464.
Monitor web server logs for requests containing suspicious file paths targeting the ‘ajax_attach_file’ function (see Sigma rule below).
Implement stricter file path validation on the web server to prevent arbitrary file access.
Apply the provided Sigma rules to your SIEM to detect and alert on malicious attempts to exploit this vulnerability.

Unlimited Elements for Elementor WordPress Plugin Arbitrary File Read (CVE-2026-4659)

hello@craftedsignal.io — Fri, 17 Apr 2026 07:23:36 +0000

The Unlimited Elements for Elementor plugin, versions 2.0.6 and earlier, contains an arbitrary file read vulnerability (CVE-2026-4659). This vulnerability stems from inadequate sanitization of path traversal sequences within the URLtoRelative() and urlToPath() functions, particularly when combined with the ability to enable debug output. The URLtoRelative() function inadequately strips the base URL without properly sanitizing path traversal characters (../). Successful exploitation allows authenticated attackers with Author-level permissions or higher to access and read arbitrary local files on the WordPress host. This can include sensitive configuration files like wp-config.php, potentially exposing database credentials and other sensitive information.

Attack Chain

An attacker authenticates to the WordPress application with Author-level or higher privileges.
The attacker identifies the Repeater JSON/CSV URL parameter within the Unlimited Elements widget settings.
The attacker crafts a malicious URL containing path traversal sequences (e.g., http://site.com/../../../../etc/passwd) in the Repeater JSON/CSV URL parameter.
The crafted URL is passed to the URLtoRelative() function, which removes the base URL but fails to sanitize the path traversal sequences.
The resulting path (e.g., /../../../../etc/passwd) is concatenated with the base path by the application.
The cleanPath() function normalizes directory separators, but does not remove traversal components, leaving the path vulnerable.
The application resolves the path, leading to access of the targeted file (e.g., /etc/passwd).
The attacker retrieves the contents of the arbitrary file, such as wp-config.php, potentially extracting sensitive information.

Impact

Successful exploitation of this vulnerability allows attackers to read arbitrary files on the WordPress host. This can lead to the exposure of sensitive data, including database credentials, API keys, and other configuration settings stored in files like wp-config.php. The impact ranges from data leakage to potential full compromise of the WordPress installation and the underlying server, depending on the contents of the accessed files and the attacker’s subsequent actions. The number of potentially affected WordPress sites is substantial, given the popularity of the Elementor plugin.

Recommendation

Upgrade the Unlimited Elements for Elementor plugin to a version greater than 2.0.6 to patch CVE-2026-4659.
Monitor web server logs for HTTP requests containing path traversal sequences (../) in the URI, focusing on requests targeting WordPress plugins; use the provided Sigma rule to facilitate this detection.
Implement stricter input validation and sanitization for URL parameters within WordPress plugins, specifically when handling file paths, to prevent path traversal vulnerabilities.

HashiCorp go-getter Arbitrary File Read Vulnerability (CVE-2026-4660)

hello@craftedsignal.io — Thu, 09 Apr 2026 14:16:32 +0000

HashiCorp’s go-getter library, a tool for retrieving files or directories from various sources, is susceptible to an arbitrary file read vulnerability (CVE-2026-4660) in versions up to 1.8.5. The vulnerability stems from insufficient validation of URLs during git operations, potentially allowing a malicious actor to craft a URL that, when processed by go-getter, results in the reading of arbitrary files from the system’s file system. This could lead to the exposure of sensitive data, configuration files, or credentials. The vulnerability has been patched in go-getter version 1.8.6, and the go-getter/v2 branch is not affected. This vulnerability allows for information disclosure, with a CVSS v3.1 score of 7.5.

Attack Chain

The attacker crafts a malicious URL designed to exploit the go-getter library’s git operation handling.
The attacker delivers the malicious URL to a system running a vulnerable version of go-getter (<= 1.8.5). The specific delivery mechanism is not defined in the source material.
The go-getter library processes the URL, attempting to retrieve files as instructed.
Due to insufficient URL validation, the go-getter library is tricked into accessing arbitrary files on the system.
The content of the accessed files is read by the go-getter library.
The attacker retrieves the contents of the file through the go-getter library.
The attacker gains access to potentially sensitive information contained within the accessed file.
The attacker leverages the disclosed information for further malicious activities, such as privilege escalation or lateral movement.

Impact

Successful exploitation of CVE-2026-4660 allows an attacker to read arbitrary files on the system where the vulnerable go-getter library is running. This can lead to the disclosure of sensitive information, including configuration files, credentials, source code, or other confidential data. The number of potential victims is dependent on the widespread adoption of the go-getter library across various systems and applications. The impact is significant as it allows for unauthorized access to sensitive data, potentially leading to further compromise of the affected system and network.

Recommendation

Upgrade the go-getter library to version 1.8.6 or later to remediate CVE-2026-4660.
Implement input validation and sanitization on URLs processed by the go-getter library, focusing on git operations to prevent similar vulnerabilities.
Monitor network traffic for suspicious URL patterns that may indicate exploitation attempts targeting CVE-2026-4660. While no specific network IOCs are provided, generic webserver rules may be helpful.
Deploy the Sigma rule Detect Go-Getter Arbitrary File Read Attempt to identify potential exploitation attempts based on suspicious process command-line arguments.

Gotenberg Chromium Deny-List Bypass via Case-Insensitive URL Scheme

hello@craftedsignal.io — Mon, 30 Mar 2026 16:16:57 +0000

Gotenberg, a popular Docker-based solution for converting HTML, Markdown, and Office documents to PDF, is susceptible to a critical vulnerability in versions prior to 8.29.0. This flaw allows for unauthenticated arbitrary file read due to a bypass in the Chromium deny-list. The vulnerability stems from the application’s failure to enforce case-sensitivity when validating URL schemes against the deny-list, implemented to prevent access to sensitive files. An attacker can exploit this by using…

Weaver E-cology Arbitrary File Read Vulnerability (CVE-2022-50992)

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 are vulnerable to an arbitrary file read vulnerability (CVE-2022-50992) within the XmlRpcServlet interface. This vulnerability is located at the XML-RPC endpoint and allows unauthenticated remote attackers to read arbitrary files on the system. The attack leverages the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods, which can be accessed without authentication, to supply file paths. Successful exploitation enables attackers to retrieve sensitive files, including system configuration files and database credentials, from the compromised server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC), highlighting active exploitation of this vulnerability.

Attack Chain

An unauthenticated attacker identifies a Weaver E-cology 9.5 instance.
The attacker sends a crafted XML-RPC request to the XmlRpcServlet endpoint.
The request invokes either the WorkflowService.getAttachment or WorkflowService.LoadTemplateProp method.
The attacker includes a file path to a sensitive file (e.g., /etc/passwd, database configuration files) as a parameter in the XML-RPC request.
The vulnerable method processes the request without proper authentication or authorization checks.
The server reads the content of the specified file.
The server returns the file content in the XML-RPC response.
The attacker parses the response to extract the contents of the sensitive file, potentially gaining access to credentials or other sensitive information.

Impact

Successful exploitation of CVE-2022-50992 allows unauthenticated attackers to read arbitrary files on the Weaver E-cology server. This can lead to the disclosure of sensitive information, such as system configuration files, database credentials, and other confidential data. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability. This vulnerability can lead to full system compromise if database credentials are leaked.

Recommendation

Upgrade Weaver E-cology instances to version 10.52 or later to remediate CVE-2022-50992.
Deploy the Sigma rule Detect Weaver E-cology File Read via XML-RPC to identify exploitation attempts targeting the vulnerable XML-RPC endpoint.
Monitor web server logs for suspicious requests to the XmlRpcServlet endpoint, specifically those containing WorkflowService.getAttachment or WorkflowService.LoadTemplateProp, using the provided Sigma rule.
Implement network segmentation to limit the blast radius of a potential compromise and restrict access to sensitive internal resources.