Jan 21 · 3 min read

WP elite is safe, but are you? Are you WP service (of any kind) provider like hosting company, small/big agency, developer/web master of popular WP based online solution who don’t have exclusive access to security reports and knowledge sent by researchers towards WP? If you satisfy previous condition, you are on the right place, if you are part of the elite, feel free to continue towards internal trackers to read this information sitting there for a long time.

Arbitrary file delete vulnerability a.k.a. WP scotch

WP suffer(it is present time with purpose because it is) from arbitrary file delete vulnerability, already published and “fixed” few times by WP elite. In the past I had released advisory for that vulnerability isn’t fixed and reasons why is that way:

PoC arbitrary file delete

Navigate towards your wp root directory and create delete_target.php file. After that run the following code:

Implications and conclusions from the above code

This means that anyone who can meddle with protected meta _wp_attached_file for certain attachment, is able to carry out this type of attack e.g. that is the only one condition for successful attack. Part for the $meta['thumb'] isn’t interesting at all, because WP sanitize the input this way (need only to exist on the file system):

$newmeta['thumb'] = wp_basename( $_POST['thumb'] );

Meddling with protected meta

Easiest way to add _wp_attached_file is via recommended in the WP core wordpress-importer plugin. We all know that using importer is security issue by itself (options, unserialize of the user input, …), but on many projects those things are hardened and this types of attacks are impossible. That is why we have this issue, to bypass those (kidding, to patch the projects without access towards exclusive information of the WP elite). :)

Having this information as an example of vulnerable systems are wp core multisite and WooCommerce in case wordpress-importer is enabled on the system by site administrator (not network)/ shop manager. Social engineering techniques where admin/shop manager is tricked to import file supplied by rogue author are also in game, because this author role user can supply the thumb value at any time and to perform the delete in order to reset installation, delete some files or to disclose information.

p.s. Beside SE techniques there is another one way wp importer users to be blown off from low impact users as visitors :)

Is this all?

Ofc. it is not, there are few another protected meta manipulation techniques which will be disclosed in the next period (don’t worry, WP elite knows them, it is safe!)

How to protect your setup

I would advice to check the wp_delete_file function and to create list of important files from your setup that shouldn’t be removed by any mean if you don’t want to place certain file system permissions!

WP elites are most important, they can do what they want!


If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).


Attack sources + web application security


Written by




Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade