Wordpress Downloads Manager Arbitrary File Upload Vulnerability

One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting.

Wordpress Downloads Manager Arbitrary File Upload Vulnerability

There have been periods where we have been spotting those quite often and others where we there are longs periods between discoveries. We have recently been in a slow period, but that has just changed, as yesterday we spotted an arbitrary file upload vulnerability in Genesis Simple Defaults and today we found the same type of vulnerability in the plugin Downloads Manager.

This time it started with a request for the file /wp-content/plugins/downloads-manager/single-download-template.tpl on one of the website, which looked to be someone probing for usage of the Downloads Manager plugin. Based on the name our first thought would that there was a vulnerability in its download capability that would allow you to download an arbitrary file from the website, but as we started to take a look at the plugin we found it had a file upload capability on one the plugin’s page in the admin area of WordPress:


#########################################################

# Exploit Title: Wordpress Downloads Manager Arbitrary File Upload Vulnerability
# Category: webapps
# version affected : 1.0
# Google Dork : inurl:wp-content/plugins/downloads-manager/
# Index of /wp-content/plugins/downloads-manager

########################################################
-------------------------------------------------------------------------------
#
#
# File Path
#
# /wp-content/plugins/downloads-manager/upload/
#

Proof of Concept