CVE-2024-12035

Name of the Vulnerable Software and Affected Versions CS Framework plugin for WordPress versions up to and including 6.9

Description The issue arises from insufficient file path validation in the cs widget file delete() function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This can potentially lead to remote code execution if critical files, such as wp-config.php, are deleted.

Recommendations For CS Framework plugin for WordPress versions up to and including 6.9, update to a version higher than 6.9 to resolve the issue. As a temporary workaround, consider restricting access to the cs widget file delete() function to prevent unauthorized file deletion.