IT Security

High Severity Vulnerability Patched in WordPress Download Manager Plugin

Editorial Desk
Editorial Desk

On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites.

This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads.

If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.

Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability.

Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

According to Chloe Chamberland at Wordfence they attempted to reach out to the developer on July 8, 2022, the same day they discovered the vulnerability.

“We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022.” says Wordfence

The plugin was fully patched the next day on July 27, 2022.

Wordfence strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.

Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51

Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download.

Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.

More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook.

This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.

At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated.

Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post.

On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.

WordPress ; wp-config.php

When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.

This can be used by attackers to delete critical files hosted on the server.

The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site.

Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.

This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users.

It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.

Timeline

July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence Premium, Wordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.

July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.

July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.

August 7, 2022 – Wordfence free users receive the firewall rule.

Wordfence says they highly recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.

ByEditorial Desk
The TBN team is a well establish group of technology industry professionals with backgrounds in IT Systems, Business Communications and Journalism.
Previous Article Aussie Adtech Company David Fairfull Australain AdTech Company Metigy Goes Into Voluntary Administration Leaving 75 Staff Unemployed
Next Article 5G tech trial Australian meat processing industry Australian Meat Processing Industry Trials 5G Technology
Leave a Comment

Leave a Reply

Wordfence Download Manager Patched

Tech Articles

The Growing Crisis of Space junk and Debris

Space Junk Is Becoming One of the Biggest Threats to Modern Spaceflight

More than 33,000 tracked objects now orbit Earth at speeds…

Top Big Tech Companies 2026

The Big Tech Companies Actually Winning In 2026 — And Numbers That Prove It

Top tech companies in 2026 included AppLovin, AWS, Microsoft, Meta,…

Sean Yu, VP of Commercial APAC at EBANX.

The Consumers Driving Global E-Commerce Growth Are Closer to Australia Than Many Businesses Think

The consumers driving global e-commerce growth are closer to Australia…

Recent News