FlatPress File Delete panel.mediamanager.file.php doItemActions path traversal

Vulnerability

A critical path traversal vulnerability exists in FlatPress, affecting the doItemActions function within the fp-plugins/mediamanager/panels/panel.mediamanager.file.php file of the File Delete Handler component. The vulnerability allows an attacker to manipulate the deletefile argument, leading to the deletion of files outside the intended directory. The issue is present in versions prior to the patch commit [2].

Exploitation

An attacker with network access can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint. The request must include a deletefile parameter containing path traversal sequences (e.g., ../). No authentication is required if the endpoint is publicly accessible, though the default configuration may require some level of access to the media manager interface (see [1] for discussion). The exploit does not require any special privileges beyond the ability to reach the vulnerable function.

Impact

Successful exploitation allows an attacker to delete arbitrary files on the server where FlatPress is installed. This could lead to data loss, denial of service, or further compromise as critical system files might be removed. The vulnerability has a high severity rating due to the potential impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed by commit 5d5c7f6d8f072d14926fc2c3a97cdd763802f170 [2], which sanitizes the file name by removing path traversal characters (., /, \). Users should upgrade to a version that includes this commit or apply the patch manually. As of the publication date, there is no evidence of active exploitation in the wild (not listed in KEV).