WordPress is the backend to many websites across the world. It has been found that one WordPress plugin that was installed on over 1,00,000 websites has two separate vulnerabilities. The plugin, called WordPress Download Manager is used to change how dowload pages are displayed. The vulnerabilities were found by The Wordfence Threat Intelligence team and pertain to the attacker achieving authenticated directory traversal. Now, the WordPress Download Manager has some protections in place to protect against directory traversal, they did not prove to be sufficient in this particular case.
As a result, it was possible for a contributor with lower provileges to retreive contents of a site?s wp-config.php file by adding a new download and performing a directory traversal attack. Here, the contents of teh wp-config.php were visible in the page?s source code upon previewing the download. Since the contents of the file were echoed out onto the page source, a user with author-level access could also upload a file or multimedia containing malicious JavaScript and set the contents of the file to the path of the uploaded file which could result in Stores Cross-Site Scripting.
Before this, the WordPress Download Manager team had patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially malicious files. Although this patch protected many configurations, it only checked the last file extension that made it possible for an attacker to carry out a ?double extension? attack by uploading a file with multiple extensions like info.php.png.
The Wordfence Threat Intelligence Team had disclosed its findings to the WordPress team in May and the developers released a patch the following day. Website owners who use WordPress are advised to update to the latest version immediately.
Read all the Latest News, Breaking News and Coronavirus News here.
Comments
0 comment