Multiple Vulnerabilities Patched in WordPress Download Manager

On May 4, 2021, the Wordfence Threat Intelligence Team initiated the responsible disclosure process for WordPress Download Manager, a WordPress plugin installed on over 100,000 sites. We found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.

The plugin’s developer responded to our initial contact in less than an hour, and we provided a confidential full disclosure the same day, on May 24, 2021. A patched version of the WP Download Manager plugin was released the next day, on May 25, 2021.

The Wordfence Firewall provides built-in protection against these vulnerabilities to all Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence.


Description: Authenticated Directory Traversal
Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34638
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25

The WordPress Download Manager plugin allows the use of templates to change how download pages are displayed. Although there were some protections in place to protect against directory traversal, these were woefully insufficient. As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter.

Upon previewing the download, the contents of the wp-config.php file would be visible in the page source.

Since the contents of the file provided in the file[page_template] parameter were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template] to the path of the uploaded file. This would lead to the JavaScript in the file being executed whenever the page was viewed or previewed resulting in Stored Cross-Site Scripting. As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session.


Description: Authenticated File Upload
Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34639
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25

Prior to our findings, the WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files. While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions. For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive.

Although the CVSS score of this vulnerability is significantly higher than that of the previous vulnerability, it is much less likely to be exploited in the real world due to the presence of an .htaccess file in the downloads directory making it difficult to execute any uploaded files.

Disclosure Timeline

May 4, 2021 – We finish researching vulnerabilities in WordPress Download Manager and initiate contact with the plugin’s developer. We receive a response in less than an hour and send over full disclosure.
May 5, 2021 – A patch is released

Conclusion

In today’s article, we covered two vulnerabilities in WordPress Download Manager, including a medium-severity vulnerability that could be used to take over a site in multiple ways, as well as a high-severity vulnerability that would be much more difficult to exploit. These vulnerabilities are an excellent example of why analysts look at the mechanism of each vulnerability in order to judge potential impact, as the CVSS score rarely tells the whole story.

All Wordfence sites, including Wordfence Premium customers and those still running the free version of Wordfence, are fully protected by the Wordfence Firewall’s built-in mitigations. Nonetheless, if you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to ensure their site has been updated.

Special thanks to the developer of the WordPress Download Manager plugin, W3 Eden, for their excellent and timely response.

The post Multiple Vulnerabilities Patched in WordPress Download Manager appeared first on Wordfence.

More great articles

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View…

Read Story

Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks

On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities…

Read Story

Critical Vulnerabilities Patched in Quiz and Survey Master Plugin

On July 17, 2020, our Threat Intelligence team discovered two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.