Authenticated Arbitrary File Deletion Vulnerability in Simple Contact Info plugin <= v1.1.9

Recently we discovered authenticated arbitrary file deletion vulnerability in Simple Contact Info plugin. The plugin has 6000+ active installs according to wordpress.org, but it has not been updated in 3 years.

In inc/contat-ajax.php, The code in sci_ajax_delete_icon_callback function doesn’t check for a valid nonce, user role and file path.

After reporting to wordpress.org plugin repository admins, they have closed the plugin.