The Wordfence Threat Intelligence team has discovered two separate vulnerabilities in a popular WordPress plugin used to change how download pages are displayed.
The first vulnerability can be exploited to achieve authenticated directory traversal according to Wordfence. While WordPress Download Manager had some protections in place to protect against directory traversal, they were far from sufficient. As a result, it was possible for a user such as a contributor with lower privileges to retrieve the contents of a site's wp-config.php file by adding a new download and performing a directory traversal attack.
- We've built a list of the best WordPress plugins available
- These are the best WordPress hosting solutions on the market
- Also check out our roundup of the best WordPress themes
Double extension attack
Before Wordfence discovered these two vulnerabilities, the team behind the WordPress Download Manager patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially executable files.
Although this patch protected many configurations, it only checked the very last file extension which made it possible for an attacker to carry out a “double extension” attack by uploading a file with multiple extensions like info.php.png.
The Wordfence Threat Intelligence Team responsibly disclosed its findings to the WordPress Download Manager team at the beginning of May and the plugin's developer released a patched version of the plugin the following day.
Still if you're a WordPress site owner that uses the plugin, it is highly recommended that you update to the latest version immediately to avoid falling victim to any attacks exploiting these two now patched vulnerabilities.
- We've also featured the best web hosting services