WordPress Plugin Vulnerabilities

Simple Download Monitor < 3.9.5 - Contributor+ Arbitrary File Download via Path Traversal

Description

The plugin allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

Proof of Concept

As a contributor

1) Add new download
2) Set "Downloadable File" to http://example.com/wp-content/../wp-config.php
3) Enable "Dispatch the file via PHP directly"
4) Preview
5) Click download button
6) wp-config.php file is downloaded

Affects Plugins

simple-download-monitor

Fixed in version 3.9.5

References

CVE

CVE-2021-24692

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4c9fe97e-3d9b-4079-88d9-34e2d0605215

Timeline

Publicly Published

2021-09-02 (about 10 months ago)

Added

2022-02-15 (about 4 months ago)

Last Updated

2022-04-08 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin