cbcvebase.
CVE-2019-14206
published 2019-07-21

CVE-2019-14206: An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.73%
90.7th percentile
An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
nevmaadaptive_images< 0.6.670.6.67

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/adaptive-images/adaptive-images-script.php
url/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-content/uploads/2026/01/{{fname}}&adaptive-images-settings[resolution]=&resolution={{rev}}&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=license.txt&adaptive-images-settings[watch_cache]=1
filenameadaptive-images-script.php
  • Exploit targets the `adaptive-images-settings` parameter in adaptive-images-script.php; monitor GET requests to this script containing `source_file`, `cache_dir`, `request_uri`, and `watch_cache` keys, which together trigger arbitrary file deletion via path traversal.
  • Successful exploitation results in the targeted file returning HTTP 404 after deletion; correlate a prior 200 response on a known file (e.g., /license.txt) followed by a 404 on the same file after requests to adaptive-images-script.php.
  • Attack chain requires an authenticated WordPress session (wordpress_logged_in cookie) followed by a media upload to obtain an attachment ID, then path-traversal requests to adaptive-images-script.php; look for this sequence in web logs.
  • Path traversal sequences `../../../` appear in the `adaptive-images-settings[source_file]` and `adaptive-images-settings[cache_dir]` query parameters; alert on URL-decoded traversal strings in requests to this plugin script.
  • ·The exploit requires a valid authenticated WordPress session (admin credentials); unauthenticated exploitation is not demonstrated in the template — the attack flow gates on a successful wp-login.php POST returning a wordpress_logged_in cookie.
  • ·The NVD description states the vulnerability allows remote attackers without authentication (`PR:N`), but the Nuclei template requires authentication to upload a file first; detection rules should cover both authenticated and unauthenticated request patterns to adaptive-images-script.php.
  • ·The template hardcodes the upload path year/month as `2026/01`; in real-world detection, the path segment will vary based on the server's current date at time of exploitation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.