WordPress Download Manager Plugin Vulnerabilities Could Allow Code Execution

Heads up, WordPress admins! A couple of security vulnerabilities have been found in the WordPress Download Manager plugin. While not so easy to exploit, exploiting the bugs could allow code execution.

WP Download Manager Plugin Vulnerabilities

Team Wordfence has shared insights about two security vulnerabilities in the Download Manager plugin that they found recently.

As elaborated in their post, one of these vulnerabilities (CVE-2021-34639) was a high-severity flaw that allowed an authenticated adversary to upload executable files. Although, exploiting this bug was difficult owing to a file extension check in place. However, it only checked the last extension of the file, thus allowing double extension attacks.

Sharing an example of such an exploit, the researchers stated,

For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive.

Under certain configurations, exploiting this bug could lead to remote code execution attacks.

The second vulnerability was a medium severity bug (CVE-2021-346380) that allowed directory traversal attacks. Exploiting this vulnerability could lead to information disclosure. Describing the flaw, the post reads,

As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter.
Upon previewing the download, the contents of the wp-config.php file would be visible in the page source.

Patches Deployed

Upon discovering the bugs affecting plugin versions 3.1.24 and lower, the researchers reported the matter to the plugin developers.

According to the plugin page, Download Manager currently boasts 100,000 active installations. That means these bugs potentially risked the security of thousands of WordPress websites.

Nonetheless, the developers promptly fixed both the bugs with the release of version 3.1.25.

However, given the vigilance of the developers in maintaining the plugin, the latest version appears to be 3.2.12. Therefore, all site owners using this plugin must update their sites with the latest plugin version to remain safe.

Related posts

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million WordPress Websites

Glove Stealer Emerges A New Malware Threat For Browsers