Unrated severityNVD Advisory· Published Aug 9, 2019· Updated Aug 5, 2024

CVE-2019-14793

Description

The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Members only

The AI Insight narrative is available to signed-in members. Sign in or create a free account to read it.

Affected products

WordPress/Meta Boxllm-fuzzy
Range: <4.16.3
Package: https://wordpress.org/plugins/meta-box

Patches

Members only

Discovered fix commits and diffs is available to signed-in members. Sign in or create a free account to read it.

Vulnerability mechanics

Root cause

"The plugin fails to properly sanitize the attachment_id parameter in the AJAX request, allowing arbitrary file deletion."

Attack vector

An attacker can send a crafted POST request to `wp-admin/admin-ajax.php` with the `action` parameter set to `rwmb_delete_file` and the `attachment_id` parameter set to the ID of a file they wish to delete. This action is performed via AJAX, meaning it can be triggered without user interaction beyond the initial setup. The vulnerability is present in versions of the Meta Box plugin prior to 4.16.3.

Affected code

The vulnerability lies within the AJAX handler for file deletion in the Meta Box plugin. The specific function responsible for handling the `rwmb_delete_file` action does not adequately validate user permissions before deleting the file identified by the `attachment_id` parameter.

What the fix does

The patch addresses the vulnerability by adding a security check within the `rwmb_delete_file` AJAX action. Specifically, it now verifies that the user has the necessary permissions to delete the specified attachment before proceeding with the deletion. This prevents unauthorized users from deleting files through this endpoint.

Preconditions

configThe Meta Box plugin must be installed and active on a WordPress site.
authThe attacker needs to be authenticated as a user who can trigger AJAX requests, though not necessarily a user with explicit file deletion privileges.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

metabox.io/changelog/mitrex_refsource_MISC
www.pluginvulnerabilities.com/2019/02/01/full-disclosure-of-authenticated-arbitrary-file-deletion-vulnerability-in-wordpress-plugin-with-300000-installs/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000