A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns.
Tracked as CVE-2021-34639 and having a CVSS score of 7.5, the bug is an authenticated file upload issue that could have allowed attackers to upload files with php4 extensions, as well as files that could be executed if certain conditions were met.
Specifically, the plugin was found vulnerable to a double extension attack, where a file with multiple extensions could be used to execute code.
“For instance, it was possible to upload a file titled info.php.png. This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive,” Wordfence explains.
The security researchers point out that, although this is a high-severity issue, its exploitation is not as simple, because an .htaccess file in the download directory prevents the execution of uploaded files.
WordPress Download Manager releases prior to version 3.1.24 are impacted. The vulnerability was patched in early May alongside a medium-severity flaw that could be abused to access sensitive information.
Tracked as CVE-2021-34638 (CVSS score of 6.5), the issue is a directory traversal that could allow a low privileged user “to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter,” Wordfence says.
Thus, the contents of the wp-config.php file are displayed in the page source when previewing the download.
The vulnerability, Wordfence explains, could also be abused for code execution. A user with the permissions of an author could upload a file with an image extension but which includes malicious JavaScript.
By including the path of the uploaded file in the file[page_template] parameter, the user would ensure that the JavaScript could be executed whenever the page was viewed or previewed. This would lead to stored cross-site scripting, allowing the attacker to take over a site by executing code in the administrator’s browser session.
Related: Actively Exploited Zero-Day Found in Popular WordPress eCommerce Plugin
Related: Severe Flaws in Official ‘Facebook for WordPress’ Plugin
Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover