Critical vulnerability in WordPress Download Manager affects more than 100k websites

Wordfence specialists discovered a critical vulnerability in Download Manager, one of the most popular WordPress plugins. Tracked as CVE-2021-34639, the flaws reside in the aforementioned plugin and could allow threat actors to execute arbitrary code under certain circumstances.

To be precise, the flaw could allow authors and other users with the ability upload_files load files with php4 extensions as well as other potentially executable files.

According to Wordfence experts, the plugin fixed a flaw that would “make it easier to execute arbitrary files on the affected websites.” While the patch released by the developers was enough to protect many configurations, it only checked the last file extension, so it was still possible to perform a “double extension” attack by loading a file with multiple extensions.

As some users will know, a dual-extension attack occurs when threat actors send a file with multiple extensions for execution, as a method to evade the affected security mechanisms.

Regarding the vulnerability, the report notes that this bug received a score of 7.5/10 according to the Common Vulnerability Scoring System (CVSS). The flaw is severe but the exploitation is highly complex, since even under the required conditions it is complicated to execute the uploaded files.

This error resides in all versions of Download Manager prior to v3.1.24. Developers addressed the vulnerability in May, noting that its exploitation would allow users with reduced privileges to retrieve content from the wp-config.php file of a specific site by adding a new download: “Since the contents of the file provided in the file[page_template] parameter were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template] to the path of the uploaded file.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.