Patch this WordPress plugin bug, thousands of site owners warned

News
By published

Unpatched vulnerabilities could be exploited to achieve remote code execution

WordPress logo
(Image credit: Pixabay)

The Wordfence Threat Intelligence team has discovered two separate vulnerabilities in a popular WordPress plugin used to change how download pages are displayed.

The plugin in question is called WordPress Download Manager and it has been installed on over 100,000 sites according to WordPress.org.

The first vulnerability can be exploited to achieve authenticated directory traversal according to Wordfence. While WordPress Download Manager had some protections in place to protect against directory traversal, they were far from sufficient. As a result, it was possible for a user such as a contributor with lower privileges to retrieve the contents of a site's wp-config.php file by adding a new download and performing a directory traversal attack.

From here, upon previewing the download, the contents of the wp-config.php file would be visible in the page's source code. However, since the contents of the file were echoed out onto the page source, a user with author-level permissions could also upload a file with an image extension containing malicious JavaScript and set the contents of file[page_template] to the path of the uploaded file which could result in Stored Cross-Site Scripting.

Double extension attack

Before Wordfence discovered these two vulnerabilities, the team behind the WordPress Download Manager patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially executable files.

Although this patch protected many configurations, it only checked the very last file extension which made it possible for an attacker to carry out a “double extension” attack by uploading a file with multiple extensions like info.php.png.

The Wordfence Threat Intelligence Team responsibly disclosed its findings to the WordPress Download Manager team at the beginning of May and the plugin's developer released a patched version of the plugin the following day.

Still if you're a WordPress site owner that uses the plugin, it is highly recommended that you update to the latest version immediately to avoid falling victim to any attacks exploiting these two now patched vulnerabilities.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
Compal Infinite Laptop

This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
See more latest
Most Popular
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says
Asus Ascent GX10
Asus debuts its own mini AI supercomputer: Ascent GX10 costs $2999 and comes with Nvidia's GB10 Grace Blackwell Superchip
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD