On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites.
This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads.
If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.
Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability.
Wordfence Free users will receive this same protection 30 days later on August 7, 2022.
According to Chloe Chamberland at Wordfence they attempted to reach out to the developer on July 8, 2022, the same day they discovered the vulnerability.
“We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022.” says Wordfence
The plugin was fully patched the next day on July 27, 2022.
Wordfence strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.
Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51
Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download.
Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.
More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook.
This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.
At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated.
Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post.
On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.
When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.
This can be used by attackers to delete critical files hosted on the server.
The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site.
Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.
This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users.
It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.
Timeline
July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence Premium, Wordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.
July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.
July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.
August 7, 2022 – Wordfence free users receive the firewall rule.
Wordfence says they highly recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.
