Easy Upload Files During Checkout
Monthly
Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.
Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.