Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension.
As a contributor, it is possible to retrieve the contents of a site’s wp-config.php file by performing the following steps: Login as a contributor user and go to Downloads->Add New. Name the post, and intercept the request when you Submit for Review (no file needs to be uploaded). In the file[page_template] parameter, swap out page-template-1col-flat.php for “\\../../../../../wp-config.php” Then preview the page. The contents of the wp-config.php file will be visible in the page source. The reason this is possible is due to the wpdm_basename function in wpdm-functions.php. After removing the initial “\\” from the parameter value, it returns ../../../../../wp-config.php as the basename.
Ramuel Gall
Ramuel Gall
Yes
2021-07-29 (about 1 years ago)
2021-07-29 (about 1 years ago)
2022-02-24 (about 11 months ago)