CVE-2024-13767
Published: 31 January 2025
Description
The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Security Summary
CVE-2024-13767 is a vulnerability in the Live2DWebCanvas plugin for WordPress, affecting all versions up to and including 1.9.11. It stems from insufficient file path validation in the ClearFiles() function, enabling arbitrary file deletion on the server. The issue is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high impact on integrity and availability.
Authenticated attackers with Subscriber-level access or higher can exploit this flaw over the network with low complexity and no user interaction required. By targeting the ClearFiles() function, they can delete arbitrary files, potentially leading to remote code execution—for instance, by removing critical files like wp-config.php to disrupt site functionality or enable further compromise.
Advisories from sources like Wordfence and the plugin's WordPress.org page, including a specific trac changeset, provide details on the issue. Security practitioners should review these references for patch information and mitigation guidance, such as updating to a fixed version if available.
Details
- CWE(s)