CVE-2019-14793
MEDIUMMeta Box < 4.16.3 - Authenticated Arbitrary File Deletion via AJAX Action
Title source: llmDescription
The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://metabox.io/changelog/
Exploit, Third Party Advisory x_refsource_misc
https://www.pluginvulnerabilities.com/2019/02/01/full-disclosure-of-authenticated-arbitrary-file-deletion-vulnerability-in-wordpress-plugin-with-300000-installs/
Scores
CVSS v3
6.5
EPSS
0.0100
EPSS Percentile
58.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-862
Status
published
Products (1)
metabox/meta_box
< 4.16.3
Published
Aug 09, 2019
Tracked Since
Feb 18, 2026