CVE-2021-24639
HIGHOMGF WordPress Plugin < 4.5.4 - Authenticated Path Traversal and Arbitrary File Deletion via omgf_ajax_empty_dir
Title source: llmDescription
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/1ada2a96-32aa-4e37-809c-705db6026e0b
Scores
CVSS v3
8.1
EPSS
0.0088
EPSS Percentile
54.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-22
CWE-352
CWE-862
Status
published
Products (1)
ffw/omgf
< 4.5.4
Published
Sep 20, 2021
Tracked Since
Feb 18, 2026