WordPress WPAMS plugin < 49.5.3 - Arbitrary Content Deletion vulnerability

Vulnerability

The WPAMS (Apartment Management) plugin for WordPress versions prior to 49.5.3 contains a vulnerability that allows subscribers to delete arbitrary content. The issue stems from missing capability checks on delete actions, enabling any authenticated subscriber to delete posts, pages, and media items without proper authorization [1].

Exploitation

An attacker with a subscriber account (the lowest WordPress role) can exploit this by sending crafted HTTP requests to the plugin's delete endpoints. No special network access or additional privileges are required beyond being a logged-in subscriber. The attacker simply authenticates as a subscriber and then issues delete requests for arbitrary content IDs [1].

Impact

Successful exploitation allows the attacker to delete any content on the WordPress site, including posts, pages, images, and other media. This can lead to significant data loss, site defacement, and disruption of service. The attacker gains the ability to remove content that normally requires higher privileges (e.g., Editor or Administrator) [1].

Mitigation

The vulnerability is fixed in version 49.5.3 of the WPAMS plugin. Users should update to this version or later immediately. If updating is not possible, using a security plugin like Patchstack can provide a mitigation rule to block attacks until the update is applied. The plugin is not end-of-life, and no other workarounds are documented [1].