Arbitrary file upload vulnerability in WordPress Delete-All-Comments plugin.

On November 20th, while auditing a hacked WordPress website, we identified a critical vulnerability in the Delete All Comments WordPress plugin v2.0, which has over 30,000 active installations.
Because a part of the delete-all-comments.php main script is not restricted to the administrator, any unauthenticated user can upload a remote PHP script into the /plugins/delete-all-comments/backup/ folder:

14    if(isset($_POST['restorefromfileNAME']) || isset($_POST['restorefromfileURL']))
15    {
16
17    if(!file_exists(dirname(__file__)."/backup/".$_POST['restorefromfileNAME']))
18       {
19          $fileUrl=$_POST['restorefromfileNAME'];
20          $fileName=$fileUrl;
21          $extension=explode(".",$fileUrl);
22          file_put_contents(dirname(__file__)."/backup/$fileName",file_get_contents($_POST['restorefromfileURL']));
23          file_put_contents(dirname(__file__)."/content.log","working");

An attacker can assign the destination file name to the $_POST['restorefromfileNAME'] variable and the remote file to download to
the $_POST['restorefromfileURL'] variable. The remote script will be uploaded into the /backup/ sub-folder.

Here is a sample of the HTTP log showing a real attack:

95.153.xx.xx - - [20/Nov/2016:11:41:34 +0700] "POST /wp-content/plugins/delete-all-comments/delete-all-comments.php HTTP/1.1" 200 57
95.153.xx.xx - - [20/Nov/2016:11:42:09 +0700] "GET /wp-content/plugins/delete-all-comments/backup/wp-conf.php HTTP/1.1" 200 1782

Recommendations

The author was informed on November 20th but did not respond. We contacted the WordPress plugin department and the plugin was removed from the repository the same day. Therefore, there is no patch or fix available.
As that vulnerability is a 0day, i.e., it is currently being exploited, consider uninstalling the plugin ASAP.
Alternatively, if your are using NinjaFirewall (WP/WP+ Edition), our WordPress WAF, you are protected against it.