Security News > 2021 > July > Remote Code Execution Flaws Patched in WordPress Download Manager Plugin

Remote Code Execution Flaws Patched in WordPress Download Manager Plugin
2021-07-30 12:40

A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns.

Tracked as CVE-2021-34639 and having a CVSS score of 7.5, the bug is an authenticated file upload issue that could have allowed attackers to upload files with php4 extensions, as well as files that could be executed if certain conditions were met.

Specifically, the plugin was found vulnerable to a double extension attack, where a file with multiple extensions could be used to execute code.

Htaccess file in the download directory prevents the execution of uploaded files.

Tracked as CVE-2021-34638, the issue is a directory traversal that could allow a low privileged user "To retrieve the contents of a site's wp-config.php file by adding a new download and performing a directory traversal attack using the file parameter," Wordfence says.

Php file are displayed in the page source when previewing the download. The vulnerability, Wordfence explains, could also be abused for code execution.


News URL

http://feedproxy.google.com/~r/securityweek/~3/WX2AG7WdPd8/remote-code-execution-flaws-patched-wordpress-download-manager-plugin

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-05 CVE-2021-34639 Unrestricted Upload of File with Dangerous Type vulnerability in Wpdownloadmanager Wordpress Download Manager
Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g.
network
low complexity
wpdownloadmanager CWE-434
8.8
2021-08-05 CVE-2021-34638 Path Traversal vulnerability in Wpdownloadmanager Wordpress Download Manager
Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions.
network
low complexity
wpdownloadmanager CWE-22
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 95 44 18 159
Plugin 2 0 13 1 0 14