Unauthenticated Arbitrary File Deletion Vulnerability in Lit...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/
• Blog Title: Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme
• Suggested Section: web-application-exploitation/wordpress

🎯 Content Summary

Feature Overview

The Litho WordPress theme (versions ≤ 3.0) includes an AJAX-based “Remove Font Family” feature that allows users to delete custom font folders under wp-content/uploads/litho-fonts/. This is implemented in litho_remove_font_family_action_data(), hooked to both authenticated and unauthenticated AJAX actions (wp_ajax_litho_remove_font_family_action_data and wp_ajax_nopriv_litho_remove_font_family_action_data),...

🔧 Technical Details

An unauthenticated AJAX endpoint litho_remove_font_family_action_data registered on both wp_ajax and wp_ajax_nopriv hooks processes a user-controlled fontfamily string without sanitization or CSRF/authorization checks. The handler constructs file paths under the uploads directory and invokes the theme��s filesystem API to delete the source directory. By supplying a path traversal payload (e.g., `../../../../wp-config.php`) in the `fontfamily`...

🤖 Agent Actions

Added a new subsection to the WordPress exploitation page with:

1. Detailed explanation of the Litho unauthenticated arbitrary file-deletion bug (root cause, vulnerable code, exploitation, detection, hardening code-sample).
2. Practical curl example for deleting wp-config.php.
3. Checklist for spotting similar issues in other plugins/themes.
4. Hardened/secure implementation snippet.
5. “## References” section (with the Patchstack blog URL) placed just before the training banner.

These changes enrich the existing WordPress Plugin Pentest coverage with a concrete real-world path traversal + file-deletion technique, its exploitation, and secure coding guidance.

✅ Review Checklist

• Content is technically accurate
• Formatting follows HackTricks style guidelines
• Links and references are working
• Content adds educational value
• No sensitive information is exposed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/

Content Categories: Based on the analysis, this content was categorized under "web-application-exploitation/wordpress".

Repository Maintenance:

• MD Files Formatting: 863 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge