Bulk Delete [Privilege Escalation]

Description

Bulk Delete plugin for WordPress suffers from a privilege escalation vulnerability. Any registered user can exploit the lack of capabilities checks to perform all administrative tasks provided by the Bulk Delete plugin. Some of these actions, but not all, are:

  • bd_delete_pages_by_status: deletes all pages by status
  • bd_delete_posts_by_post_type: deletes all posts by type
  • bd_delete_users_by_meta: delete all users with a specific pair of meta name, meta value

Nearly all actions registered by this plugin can be performed from any user, as long as they passed to a query var named bd_action and the user has a valid account. These actions would normally require administrative wrights, so we can consider this as a privilege escalation vulnerability.

PoC

The following script will delete all pages, posts and users from the infected website.

And a Metasploit module that exploits this vulnerability

Solution

Upgrade to v5.5.4