Heads up, WordPress admins! A couple of security vulnerabilities have been found in the WordPress Download Manager plugin. While not so easy to exploit, exploiting the bugs could allow code execution.
WP Download Manager Plugin Vulnerabilities
Team Wordfence has shared insights about two security vulnerabilities in the Download Manager plugin that they found recently.
As elaborated in their post, one of these vulnerabilities (CVE-2021-34639) was a high-severity flaw that allowed an authenticated adversary to upload executable files. Although, exploiting this bug was difficult owing to a file extension check in place. However, it only checked the last extension of the file, thus allowing double extension attacks.
Sharing an example of such an exploit, the researchers stated,
For instance, it was possible to upload a file titled
info.php.png
. This file would be executable on certain Apache/mod_php configurations that use anAddHandler
orAddType
directive.
Under certain configurations, exploiting this bug could lead to remote code execution attacks.
The second vulnerability was a medium severity bug (CVE-2021-346380) that allowed directory traversal attacks. Exploiting this vulnerability could lead to information disclosure. Describing the flaw, the post reads,
As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s
wp-config.php
file by adding a new download and performing a directory traversal attack using thefile[page_template]
parameter.
Upon previewing the download, the contents of thewp-config.php
file would be visible in the page source.
Patches Deployed
Upon discovering the bugs affecting plugin versions 3.1.24 and lower, the researchers reported the matter to the plugin developers.
According to the plugin page, Download Manager currently boasts 100,000 active installations. That means these bugs potentially risked the security of thousands of WordPress websites.
Nonetheless, the developers promptly fixed both the bugs with the release of version 3.1.25.
However, given the vigilance of the developers in maintaining the plugin, the latest version appears to be 3.2.12. Therefore, all site owners using this plugin must update their sites with the latest plugin version to remain safe.