CVE-2019-14206
published 2019-07-21CVE-2019-14206: An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
4.73%
90.7th percentile
An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nevma | adaptive_images | < 0.6.67 | 0.6.67 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-content/uploads/2026/01/{{fname}}&adaptive-images-settings[resolution]=&resolution={{rev}}&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=license.txt&adaptive-images-settings[watch_cache]=1↗
- →Exploit targets the `adaptive-images-settings` parameter in adaptive-images-script.php; monitor GET requests to this script containing `source_file`, `cache_dir`, `request_uri`, and `watch_cache` keys, which together trigger arbitrary file deletion via path traversal. ↗
- →Successful exploitation results in the targeted file returning HTTP 404 after deletion; correlate a prior 200 response on a known file (e.g., /license.txt) followed by a 404 on the same file after requests to adaptive-images-script.php. ↗
- →Attack chain requires an authenticated WordPress session (wordpress_logged_in cookie) followed by a media upload to obtain an attachment ID, then path-traversal requests to adaptive-images-script.php; look for this sequence in web logs. ↗
- →Path traversal sequences `../../../` appear in the `adaptive-images-settings[source_file]` and `adaptive-images-settings[cache_dir]` query parameters; alert on URL-decoded traversal strings in requests to this plugin script. ↗
- ·The exploit requires a valid authenticated WordPress session (admin credentials); unauthenticated exploitation is not demonstrated in the template — the attack flow gates on a successful wp-login.php POST returning a wordpress_logged_in cookie. ↗
- ·The NVD description states the vulnerability allows remote attackers without authentication (`PR:N`), but the Nuclei template requires authentication to upload a file first; detection rules should cover both authenticated and unauthenticated request patterns to adaptive-images-script.php. ↗
- ·The template hardcodes the upload path year/month as `2026/01`; in real-world detection, the path segment will vary based on the server's current date at time of exploitation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pwwj-2c24-8cvr: An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0
ghsa_unreviewed·2022-05-24
CVE-2019-14206 [HIGH] CWE-22 GHSA-pwwj-2c24-8cvr: An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0
An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.
VulnCheck
nevma adaptive_images Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 7.5
CVE-2019-14206 [HIGH] nevma adaptive_images Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
nevma adaptive_images Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An Arbitrary File Deletion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to delete arbitrary files via the $REQUEST['adaptive-images-settings'] parameter in adaptive-images-script.php.
Affected: nevma adaptive_images
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://wpscan.com/vulnerability/025a47f0-eddc-46dd-b994-e1e824dc5225/
Exploit PoC: https://vulncheck.com/xdb/035026519e5b
No detection rules found.
Nuclei
Nevma Adaptive Images - Arbitrary File Deletion
nuclei·CVSS 7.5
CVE-2019-14206 [HIGH] Nevma Adaptive Images - Arbitrary File Deletion
Nevma Adaptive Images - Arbitrary File Deletion
Nevma Adaptive Images plugin before 0.6.67 for WordPress contains an arbitrary file deletion caused by unsanitized input in adaptive-images-script.php, letting remote attackers delete arbitrary files, exploit requires sending specific request parameters.
Template:
id: CVE-2019-14206
info:
name: Nevma Adaptive Images - Arbitrary File Deletion
author: riteshs4hu
severity: high
description: |
Nevma Adaptive Images plugin before 0.6.67 for WordPress contains an arbitrary file deletion caused by unsanitized input in adaptive-images-script.php, letting remote attackers delete arbitrary files, exploit requires sending specific request parameters.
impact: |
Remote attackers can delete arbitrary files on the server, potentially causing data loss a
No writeups or analysis indexed.
https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdownhttps://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.htmlhttps://wordpress.org/plugins/adaptive-images/#developershttps://wpvulndb.com/vulnerabilities/9468https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdownhttps://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.htmlhttps://wordpress.org/plugins/adaptive-images/#developershttps://wpvulndb.com/vulnerabilities/9468
2019-07-21
Published
Exploited in the wild