CVE-2016-15033
📋 TL;DR
The Delete All Comments WordPress plugin up to version 2.0 contains an arbitrary file upload vulnerability in delete-all-comments.php due to missing file type validation. Unauthenticated attackers can upload malicious files to vulnerable WordPress sites, potentially leading to remote code execution. This affects all WordPress installations using the vulnerable plugin versions.
💻 Affected Systems
- WordPress Delete All Comments Plugin
📦 What is this software?
Delete All Comments by Delete All Comments Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or install cryptocurrency miners.
If Mitigated
File uploads blocked or restricted to safe file types, preventing malicious file execution.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill due to public proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0
Vendor Advisory: https://wordpress.org/plugins/delete-all-comments/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Delete All Comments plugin. 4. Click Update Now if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate and delete the vulnerable plugin to eliminate the attack vector.
wp plugin deactivate delete-all-comments
wp plugin delete delete-all-comments
Web Server File Restriction
linuxConfigure web server to block access to delete-all-comments.php or restrict file uploads in that directory.
# In Apache .htaccess:
<Files "delete-all-comments.php">
Order Allow,Deny
Deny from all
</Files>
# In Nginx config:
location ~* /delete-all-comments\.php$ {
deny all;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the Delete All Comments plugin from all WordPress installations.
- Implement web application firewall rules to block requests to delete-all-comments.php and file upload attempts to the plugin directory.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Delete All Comments plugin version. If version is 2.0 or lower, system is vulnerable.Check Version:
wp plugin get delete-all-comments --field=versionVerify Fix Applied:
Verify plugin version is higher than 2.0 or plugin is completely removed from plugins directory.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/delete-all-comments/delete-all-comments.php with file upload parameters
- Unusual file creations in plugin directories with extensions like .php, .phtml, .php5
Network Indicators:
- POST requests to delete-all-comments.php with multipart/form-data containing executable file uploads
SIEM Query:
source="web_server_logs" AND uri="/wp-content/plugins/delete-all-comments/delete-all-comments.php" AND method="POST" AND (user_agent CONTAINS "curl" OR user_agent CONTAINS "wget" OR user_agent="-")🔗 References
- http://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/
- https://wordpress.org/plugins/delete-all-comments/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b1e98d2d-20b1-4fff-96d4-0fb8e0d2615a?source=cve
- http://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/
- https://wordpress.org/plugins/delete-all-comments/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b1e98d2d-20b1-4fff-96d4-0fb8e0d2615a?source=cve
