Simple Download Monitor < 3.9.5 – Contributor+ Arbitrary File Download via Path Traversal | CVE 2021-24692

Description

The plugin allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

Proof of Concept

As a contributor

1) Add new download
2) Set "Downloadable File" to http://example.com/wp-content/../wp-config.php
3) Enable "Dispatch the file via PHP directly"
4) Preview
5) Click download button
6) wp-config.php file is downloaded

Affects Plugins

simple-download-monitor

Fixed in 3.9.5

References

CVE

CVE-2021-24692

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4c9fe97e-3d9b-4079-88d9-34e2d0605215

Timeline

Publicly Published

2021-09-02 (about 4 years ago)

Added

2022-02-15 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2022-02-23

Title

WooCommerce < 6.2.1 - Path Traversal via Importers

Published

2019-07-12

Title

Ad Inserter <= 2.4.19 - Authenticated Path Traversal

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal

Published

2021-02-08

Title

Digital Publications by Supsystic < 1.6.12 - Authenticated Path Traversal

Published

2023-12-08

Title

Import and export users and customers < 1.24.3 - Admin+ Arbitrary File Read/Deletion