The Wordfence Threat Intelligence Team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations on WordPress Download Manager, a WordPress plugin installed on over 100,000 sites.
The WordPress Download Manager plugin allows the use of templates to change how download pages are displayed. Although there were some protections in place to protect against directory traversal, these were woefully insufficient.
As such, it was possible for a user with lower permissions, such as a contributor, to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter.
Upon previewing the download, the contents of the wp-config.php file would be visible in the page source.
Since the contents of the file provided in the file[page_template] parameter were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template] to the path of the uploaded file. T
This would lead to the JavaScript in the file being executed whenever the page was viewed or previewed resulting in Stored Cross-Site Scripting. As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session.
The WordPress Download Manager plugin patched a vulnerability allowing authors and other users with the upload_files capability to upload files with php4 extensions as well as other potentially executable files.
While the patch in question was sufficient to protect many configurations, it only checked the very last file extension, so it was still possible to perform a “double extension” attack by uploading a file with multiple extensions. For instance, it was possible to upload a file titled info.php.png.
This file would be executable on certain Apache/mod_php configurations that use an AddHandler or AddType directive.
Although the CVSS score of this vulnerability is significantly higher than that of the previous vulnerability, it is much less likely to be exploited in the real world due to the presence of an .htaccess file in the downloads directory making it difficult to execute any uploaded files.
