Dangerous vulnerability in the popular (around 850,000 downloads) WordPress Download Manager plugin. The vulnerability was discovered and disclosed last week. Exploitation of this vulnerability allows an attacker to take remotely control of the target web-site through the introduction of backdoors and modify user passwords.

Specialists of the company Sucuri found dangerous vulnerability in the WordPress Download Manager Plugin. Exploitation of this flaw allows an remote attacker to gain control of the target web-site through the introduction of backdoors and modification of user passwords.

As explained by the expert Sucuri Mickael Nadeau, the plugin uses a special method of processing AJAX-requests that can be used by an attacker to call arbitrary functions within the application context. As before, in processing AJAX calls permissions check is not performed, an attacker could introduce a backdoor in the web-site, or change the administrator password in the event that the account name is already known.

The company’s specialists emphasize that the attack can be carried out only if the offender can generate real-time code (nonce) – a special key used to identify a specific operation of a user. However, since in the application’s context of the application can be performed any function, an attacker can cause the snippet of code generating that particular nonce first.

Immediately after the discovery of the vulnerability of the plugin developer released a software update WordPress Download Manager 2.7.5, which is highly recommended for all users.

High risk vulnerability in the WordPress Download Manager

Danger level: Very High

The presence of fixes: Yes

The number of vulnerabilities: 1

CVSSv2 rating: (AV: N / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: O / RC: C) = Base: 10 / Temporal: 7.4

Vector of operation: Remote

Impact: Code Execution, Remote File Inclusion

Affected products: WordPress Download Manager Plugin 2.x

Affected versions: WordPress Download Manager to version 2.7.5

Description:

The vulnerability allows a remote user to compromise a vulnerable system (Code Execution, Remote File Inclusion).

The vulnerability is caused due to lack of permission checking when processing AJAX calls. This can be exploited to gain control of the attacked web-site.

Note: Successfuly exploiting this vulnerability requires generate valid a one-time code (nonce).

Solution: Install the latest version 2.7.5 from the manufacturer.

References:

http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html

Manufacturer URL: https://wordpress.org/plugins/download-manager/