Favicon Generator < 2.1 - Arbitrary File Deletion via CSRF
Description
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Favicon Generator WordPress plugin before 2.1 lacks CSRF and path validation, allowing attackers to trick admins into deleting arbitrary files.
Vulnerability
The Favicon Generator (CLOSED) WordPress plugin versions before 2.1 are vulnerable to an arbitrary file deletion issue. The plugin fails to implement Cross-Site Request Forgery (CSRF) protection and does not validate the file path in the output_sub_admin_page_0() function. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, can delete any file on the server [1].
Exploitation
An attacker must trick a logged-in administrator into visiting a malicious page or clicking a crafted link. No authentication is required for the attacker, but the victim must have administrator privileges. The exploit leverages the missing CSRF token and insufficient path validation to send a forged request to the vulnerable function, specifying an arbitrary file path to delete [1].
Impact
Successful exploitation leads to arbitrary file deletion on the server. This can result in denial of service, destruction of critical WordPress files (e.g., wp-config.php), or removal of user-uploaded content. The attacker does not gain direct code execution but can severely disrupt site functionality [1].
Mitigation
The vulnerability is fixed in version 2.1 of the plugin. Administrators should update the Favicon Generator plugin to version 2.1 or later immediately. If updating is not possible, consider disabling the plugin until a patch is applied. No other workarounds are currently available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection and path validation in the output_sub_admin_page_0() function allows arbitrary file deletion."
Attack vector
An attacker crafts a malicious request that targets the output_sub_admin_page_0() function in the Favicon Generator plugin. Because the function lacks CSRF protection [CWE-352] and does not validate the file path, the attacker can trick a logged-in administrator into clicking a link or visiting a page that triggers the request. The request then deletes an arbitrary file on the server chosen by the attacker [ref_id=1].
Affected code
The vulnerable function is output_sub_admin_page_0() in the Favicon Generator plugin for WordPress [ref_id=1]. The advisory does not specify the exact file path within the plugin.
What the fix does
The advisory states the vulnerability is fixed in version 2.1 of the Favicon Generator plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix would need to add CSRF nonce verification to the output_sub_admin_page_0() function and implement path validation to ensure only intended files (e.g., generated favicon files within the plugin's directory) can be deleted, preventing arbitrary file deletion.
Preconditions
- authA logged-in WordPress administrator must be tricked into performing the action.
- networkThe attacker must be able to deliver a crafted request (e.g., via a link or cross-origin request) to the administrator's browser.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/6ce62e78-04a4-46b2-b97f-c4ef8f3258c3/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.