WordPress Download Manager < 3.1.25 – Authenticated Directory Traversal | CVE 2021-34638

Description

Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension.

Proof of Concept

As a contributor, it is possible to retrieve the contents of a site’s wp-config.php file by performing the following steps:
Login as a contributor user and go to Downloads->Add New. Name the post, and intercept the request when you Submit for Review (no file needs to be uploaded).
In the file[page_template]  parameter, swap out page-template-1col-flat.php for “\\../../../../../wp-config.php”
Then preview the page. The contents of the wp-config.php file will be visible in the page source.
The reason this is possible is due to the wpdm_basename function in wpdm-functions.php. After removing the initial “\\” from the parameter value, it returns ../../../../../wp-config.php as the basename.