Cybersecurity threats 2014: High risk vulnerability in the WordPress Plugin

Posted: December 9, 2014 in Vulnerabilities
Tags: , ,

Wordpress VulnerabilitiesDangerous vulnerability in the popular (around 850,000 downloads) WordPress Download Manager plugin. The vulnerability was discovered and disclosed last week. Exploitation of this vulnerability allows an attacker to take remotely control of the target web-site through the introduction of backdoors and modify user passwords.

Specialists of the company Sucuri found dangerous vulnerability in the WordPress Download Manager Plugin. Exploitation of this flaw allows an remote attacker to gain control of the target web-site through the introduction of backdoors and modification of user passwords.

As explained by the expert Sucuri Mickael Nadeau, the plugin uses a special method of processing AJAX-requests that can be used by an attacker to call arbitrary functions within the application context. As before, in processing AJAX calls permissions check is not performed, an attacker could introduce a backdoor in the web-site, or change the administrator password in the event that the account name is already known.

The company’s specialists emphasize that the attack can be carried out only if the offender can generate real-time code (nonce) – a special key used to identify a specific operation of a user. However, since in the application’s context of the application can be performed any function, an attacker can cause the snippet of code generating that particular nonce first.

WordPress Download Manager

Immediately after the discovery of the vulnerability of the plugin developer released a software update WordPress Download Manager 2.7.5, which is highly recommended for all users.

High risk vulnerability in the WordPress Download Manager

Danger level: Very High
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: O / RC: C) = Base: 10 / Temporal: 7.4

Vector of operation: Remote
Impact: Code Execution, Remote File Inclusion

Affected products: WordPress Download Manager Plugin 2.x
Affected versions: WordPress Download Manager to version 2.7.5

Description:
The vulnerability allows a remote user to compromise a vulnerable system (Code Execution, Remote File Inclusion).

The vulnerability is caused due to lack of permission checking when processing AJAX calls. This can be exploited to gain control of the attacked web-site.

Note: Successfuly exploiting this vulnerability requires generate valid a one-time code (nonce).

Solution: Install the latest version 2.7.5 from the manufacturer.

References:
http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html


wordpress.org

Manufacturer URL: https://wordpress.org/plugins/download-manager/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s