Name of the Vulnerable Software and Affected Versions:

NinjaScanner – Virus & Malware scan plugin for WordPress versions through 3.2.5

Description:

The NinjaScanner – Virus & Malware scan plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation. This issue affects the `nscan ajax quarantine` and `nscan quarantine select` functions. Authenticated attackers possessing Administrator-level access or higher can exploit this to delete arbitrary files on the server, potentially including files located outside the WordPress root directory.

Recommendations:

Versions prior to 3.2.5 should be updated.

As a temporary workaround, restrict access to the `nscan ajax quarantine` and `nscan quarantine select` functions until a patch is available.