Wordfence experts warned about the vulnerabilities recently fixed in the WordPress Download Manager plugin (installed on more than 100,000 sites).
These bugs can be used to execute arbitrary code in certain configurations.
The first bug is CVE-2021-34639 (7.5 on the CVSS scale) and is an authenticated file upload problem. The vulnerability allows attackers to download files with php4 extensions, as well as files that can be executed if certain conditions are met. In particular, the plugin is vulnerable to double extension attacks (when a file with multiple extensions is used to execute code).
The vulnerability was dangerous for all versions of WordPress Download Manager up to 3.1.24, and was fixed in early May together with another problem that could be used to access confidential information.
The second bug, tracked as CVE-2021-34638 (6.5 on the CVSS scale), is a directory traversal that could allow a low privilege user to retrieve the contents of the wp-config.php file. To do this, add a new download and perform a directory traversal attack using the file [page_template] parameter.
Wordfence adds that this vulnerability can also be abused to execute code: a user with author rights can upload a file with an image extension, but containing malicious JavaScript.
By including the path to the uploaded file in file [page_template], the attacker will ensure that JavaScript is executed every time the page is viewed or previewed.
Let me remind you that I wrote that Zerodium offers up to $300,000 for WordPress vulnerabilities.