Recently we (ThreatPress) discovered authenticated arbitrary file deletion vulnerability in Simple Contact Info plugin. The plugin has 6000+ active installs according to wordpress.org, but it has not been updated in 3 years. In inc/contat-ajax.php, The code in sci_ajax_delete_icon_callback function doesn’t check for a valid nonce, user role and file path.
The plugin is closed and not available for download anymore. We recommend you to find an alternative plugin.
Type BYPASS OWASP Top 10 A7: Missing Function Level Access Control