Developers fixed serious vulnerabilities in WordPress Download Manager

vulnerabilities in WordPress Download Manager
Written by Emma Davis

Wordfence experts warned about the vulnerabilities recently fixed in the WordPress Download Manager plugin (installed on more than 100,000 sites).

These bugs can be used to execute arbitrary code in certain configurations.

We found two separate vulnerabilities, including sensitive information disclosure and a file upload vulnerability that could lead to remote code execution in some configurations. The plugin developer responded to our first call in less than an hour, and we provided full confidential information on the same day, May 4, 2021. The next day, May 5, a revised version of the WP Download Manager plugin was released.Wordfence specialists said.

The first bug is CVE-2021-34639 (7.5 on the CVSS scale) and is an authenticated file upload problem. The vulnerability allows attackers to download files with php4 extensions, as well as files that can be executed if certain conditions are met. In particular, the plugin is vulnerable to double extension attacks (when a file with multiple extensions is used to execute code).

For example, you can upload a file called info.php.png. This file will be executable in certain Apache/mod_php configurations, where the AddHandler or AddType directives are used.the experts write.

The vulnerability was dangerous for all versions of WordPress Download Manager up to 3.1.24, and was fixed in early May together with another problem that could be used to access confidential information.

The second bug, tracked as CVE-2021-34638 (6.5 on the CVSS scale), is a directory traversal that could allow a low privilege user to retrieve the contents of the wp-config.php file. To do this, add a new download and perform a directory traversal attack using the file [page_template] parameter.

Wordfence adds that this vulnerability can also be abused to execute code: a user with author rights can upload a file with an image extension, but containing malicious JavaScript.

By including the path to the uploaded file in file [page_template], the attacker will ensure that JavaScript is executed every time the page is viewed or previewed.

Let me remind you that I wrote that Zerodium offers up to $300,000 for WordPress vulnerabilities.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply