WordPress Car Zone theme <= 3.7 - Arbitrary File Deletion vulnerability

Vulnerability

The Car Zone WordPress theme versions 3.7 and earlier contain an unauthenticated arbitrary file deletion vulnerability. The flaw exists in the theme's code, allowing any remote attacker without authentication to delete arbitrary files on the server. No special configuration or user interaction is required, making the vulnerability easily reachable. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the vulnerable theme endpoint without any prior authentication or special network position. The attack does not require any user interaction or specific conditions, and can be performed remotely over the internet. The attacker simply needs to know the target site's URL and can trigger the file deletion remotely. [1]

Impact

Successful exploitation allows the attacker to delete arbitrary files from the target WordPress site, including critical core files. This can cause the website to break, stop functioning, or become completely inaccessible. The vulnerability does not provide the attacker with direct code execution or data theft, but the deletion of core files can lead to denial of service and potential loss of website integrity. [1]

Mitigation

The vendor has released a fix in version 3.8 or later of the Car Zone theme. Users are strongly advised to update immediately. If unable to update, contact your hosting provider or web developer for assistance. As noted by Patchstack, this vulnerability is highly dangerous and expected to become exploited in mass campaigns, so prompt action is essential. [1]