Multiple Vulnerabilities Patched In WordPress Download Manager
The Wordfence Threat Intelligence Team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations on WordPress Download Manager, a WordPress plugin installed on over 100,000 sites.
The WordPress Download Manager plugin allows the use of templates to change how download pages are displayed. Although there were some protections in place to protect against directory traversal, these were woefully insufficient.
As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s
wp-config.php file by adding a new download and performing a directory traversal attack using the
Upon previewing the download, the contents of the
wp-config.php file would be visible in the page source.
Since the contents of the file provided in the
file[page_template] to the path of the uploaded file. T
The WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the
upload_files capability to upload files with
php4 extensions as well as other potentially executable files.
While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions. For instance, it was possible to upload a file titled
This file would be executable on certain Apache/mod_php configurations that use an
Although the CVSS score of this vulnerability is significantly higher than that of the previous vulnerability, it is much less likely to be exploited in the real world due to the presence of an
.htaccess file in the downloads directory making it difficult to execute any uploaded files.