WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Description
Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension.
Proof of Concept
As a contributor, it is possible to retrieve the contents of a site’s wp-config.php file by performing the following steps: Login as a contributor user and go to Downloads->Add New. Name the post, and intercept the request when you Submit for Review (no file needs to be uploaded). In the file[page_template] parameter, swap out page-template-1col-flat.php for “\\../../../../../wp-config.php” Then preview the page. The contents of the wp-config.php file will be visible in the page source. The reason this is possible is due to the wpdm_basename function in wpdm-functions.php. After removing the initial “\\” from the parameter value, it returns ../../../../../wp-config.php as the basename.
Affects Plugins
Fixed in version 3.1.25✓
Classification
Miscellaneous
Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-07-29 (about 3 months ago)
Added
2021-07-29 (about 3 months ago)
Last Updated
2021-07-29 (about 3 months ago)