CVE-2024-13767

Name of the Vulnerable Software and Affected Versions Live2DWebCanvas plugin for WordPress versions up to, and including, 1.9.11

Description The issue is related to insufficient file path validation in the ClearFiles() function, allowing authenticated attackers with Subscriber-level access and above to delete arbitrary files on the server. This can lead to remote code execution when critical files, such as wp-config.php, are deleted.

Recommendations For versions up to, and including, 1.9.11, update to a version higher than 1.9.11 to resolve the issue. As a temporary workaround, consider disabling the ClearFiles() function until a patch is available. Restrict access to the Live2DWebCanvas plugin to minimize the risk of exploitation.