Here’s the reported issue:
The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server and all their content.
The significant bit is that this requires admin-level access. So, this issue can only affect you if you have an admin you do not trust, or someone gains unauthorized admin-level access. However, an admin-level user can already cause “arbitrary directory deletion,” even on a clean install of WP with no plugins installed using the plugin or theme editor and one line of code. The threat level is low.
WP takes security very seriously, as they should, so they have removed the Connections until this is resolved. This issue is quick and easy to resolve, but WP requires a review afterward. Unfortunately, this can take many months. I hope this is not the case.
I have developed a working solution and hope to submit by end of week. The additional time is required as I want to also add additional validations, and I must ensure any new requirements are also met since a new plugin review is being required as part of the submission.
I hope this helps and alleviates any concerns.
