CVE-2019-14206 - Nevma Adaptive Images - Arbitrary File Deletion 💰

[princechaddha]

Description:

Nevma Adaptive Images plugin before 0.6.67 for WordPress contains an arbitrary file deletion caused by unsanitized input in adaptive-images-script.php, letting remote attackers delete arbitrary files, exploit requires sending specific request parameters.

Severity: High

POC:

• https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown
• https://markgruffer.github.io/2019/07/19/adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.html

KEV: True

Shodan Query: NA

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation or can also share a vulnerable environment like docker file.

Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.

You can check the FAQ for the Nuclei Templates Community Rewards Program here.

[princechaddha]

/bounty $100

[algora-pbc]

💎 $100 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

• Claim attempt: Comment /attempt #14693 on this issue to claim attempt. Multiple participants can attempt, but only the first to submit a complete POC template along with full debug data will receive the reward similar to bug bounty programs.
• Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
• Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #14693 in the PR body to claim the bounty.
• Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors must share vulnerable setup information or a testable instance by emailing templates@projectdiscovery.io. Providing a testable instance significantly reduces validation time and increases the chance of quicker rewards. Templates that are incomplete, invalid, or non-verifiable will not be accepted. Avoid submitting code templates for CVEs that can be detected using HTTP, TCP, or JavaScript only these are blocked by default and will not produce results. Exceptions may apply for certain cases. Do not submit AI-simulated vulnerable environments. To qualify for the bounty, the team must be able to fully validate the POC. If you have hosted a vulnerable environment for validation, send the details (IP or Docker setup) along with the PR number to templates[at]projectdiscovery.io

You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bounty • Share on socials

Attempt	Started (UTC)	Solution	Actions
🟢 @thewindghost	Jan 04, 2026, 02:01:38 AM	WIP
🟢 @KrE80r	Jan 04, 2026, 02:08:24 AM	#14697	Reward
🟢 @riteshs4hu	Jan 04, 2026, 03:53:37 AM	#14694	Reward
🟢 @3th1cyuk1	Jan 04, 2026, 03:17:27 AM	WIP
🟢 @guilhermemour2018-art	Jan 04, 2026, 05:27:01 AM	#14695	Reward
🟢 @D3nverNg	Jan 04, 2026, 06:01:06 AM	#14696	Reward
🟢 @developerfred	Jan 04, 2026, 01:04:02 PM	#14698	Reward
🟢 @vog01r	Jan 04, 2026, 07:50:15 PM	WIP

[thewindghost]

/attempt #14693

[KrE80r]

/attempt #14693

[3th1cyuk1]

/attempt #14693

[riteshs4hu]

/attempt #14693

[guilhermemour2018-art]

/attempt #14693

[D3nverNg]

/attempt #14693

[thewindghost]

LFI vulnerability is not cve-2019-14206