CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Remote Code Execution Flaws Patched in WordPress Download Manager Plugin

A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns.

A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns.

Tracked as CVE-2021-34639 and having a CVSS score of 7.5, the bug is an authenticated file upload issue that could have allowed attackers to upload files with php4 extensions, as well as files that could be executed if certain conditions were met.

Specifically, the plugin was found vulnerable to a double extension attack, where a file with multiple extensions could be used to execute code.

“For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive,” Wordfence explains.

The security researchers point out that, although this is a high-severity issue, its exploitation is not as simple, because an .htaccess file in the download directory prevents the execution of uploaded files.

WordPress Download Manager releases prior to version 3.1.24 are impacted. The vulnerability was patched in early May alongside a medium-severity flaw that could be abused to access sensitive information.

Tracked as CVE-2021-34638 (CVSS score of 6.5), the issue is a directory traversal that could allow a low privileged user “to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter,” Wordfence says.

Thus, the contents of the wp-config.php file are displayed in the page source when previewing the download.

Advertisement. Scroll to continue reading.

The vulnerability, Wordfence explains, could also be abused for code execution. A user with the permissions of an author could upload a file with an image extension but which includes malicious JavaScript.

By including the path of the uploaded file in the file[page_template] parameter, the user would ensure that the JavaScript could be executed whenever the page was viewed or previewed. This would lead to stored cross-site scripting, allowing the attacker to take over a site by executing code in the administrator’s browser session.

Related: Actively Exploited Zero-Day Found in Popular WordPress eCommerce Plugin

Related: Severe Flaws in Official ‘Facebook for WordPress’ Plugin

Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.