Update: Download Manager Plugin Vulnerability Patched July 27, 2022
August 3, 2022
The Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability they discovered on July 8, 2022 in “Download Manager,” a WordPress plugin that is installed on over 100,000+ sites. This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process. "Download Manager Plugin Vulnerability has been Patched already".
Wordfence team attempted to reach out to the developer on July 8, 2022, the same day they discovered the vulnerability. They never received a response so they sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day July 27, 2022.
Affected Plugin: Download Manager
Description: Authenticated (Contributor+) Arbitrary File Deletion
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51
We strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.
Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.
Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download.
Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.
More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality, in this case, is to delete any files that may have been uploaded and associated with a “download” post.
At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.
add_action('before_delete_post', array($this, 'deleteFiles'), 10, 2);function deleteFiles($post_id, $post)
{
$files = WPDM()->package->getFiles($post_id, false);
foreach ($files as $file) {
$file = WPDM()->fileSystem->locateFile($file);
@unlink($file);
}
}When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.
This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.
This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.
The latest patched version for the "Download Manager" wordpress plugin which is version 3.2.53, so we strongly recommend you to update to the latest patched version ASAP if you haven't yet. Also inform your friends and colleagues about this update so that they can avoid getting into unwanted vulnerability issue.
If you believe your website has been attacked by this vulnerability or any other malware attack, we offer website malware cleaning service to clean your website. Contact us