CVE-2024-11740 Scanner

Download Manager is a widely-used plugin for WordPress, developed by WPDownloadManager, designed to simplify the management, tracking, and distribution of digital files. Website administrators utilize this plugin to provide secure and controlled file downloads, track download statistics, and manage user access efficiently. It is popular among educational institutions, small businesses, e-commerce sites, and blogs for managing downloadable digital products, software, documents, and multimedia files. The plugin enhances website functionality by offering various customizable shortcodes for easy integration of download links within posts and pages. Its simplicity and extensive functionality make it an essential tool for many website administrators. Download Manager significantly streamlines digital content delivery, enhancing both user experience and administrative efficiency.

The vulnerability in Download Manager stems from improper validation when executing shortcodes via the 'do_shortcode' function. This lack of adequate validation allows unauthenticated attackers to inject and execute arbitrary shortcodes on the affected website. Shortcodes, when manipulated maliciously, enable attackers to execute unintended commands or scripts on the vulnerable WordPress installations. The issue occurs because user-supplied input provided to certain parameters is directly passed to 'do_shortcode' without sufficient sanitization or security checks. Due to the absence of authentication requirements, remote attackers can exploit this flaw easily and effectively. The vulnerability affects all plugin versions up to and including 3.3.03.

The vulnerability specifically affects the '__wpdmxp' parameter accessible via HTTP GET requests to the site's root URL. Attackers exploit this parameter by injecting crafted shortcode sequences, which the plugin executes without proper validation. The attacker submits a specially crafted request such as "?__wpdmxp=%27][/wpdm_package][wpdm_all_packages][wpdm_package%20id=%27" to trigger unintended shortcode execution. The affected endpoints directly pass this user input to the internal 'do_shortcode' function, causing immediate processing and rendering of the injected shortcodes. Successful exploitation allows arbitrary execution of shortcode commands, potentially altering website content, accessing restricted data, or initiating unauthorized administrative actions. This technical oversight significantly exposes affected websites to unauthorized access and manipulation.

Attackers exploiting this vulnerability can execute arbitrary commands, inject malicious code, and potentially take administrative control of the affected WordPress site. Unauthorized shortcode execution may lead to sensitive data disclosure, including user details, authentication credentials, and internal file structures. Malicious actors might escalate their access, install malware, create persistent backdoors, or deface websites. The flaw poses substantial security and operational risks, potentially resulting in prolonged website downtime and financial damages. If left unresolved, this vulnerability can severely undermine site integrity, visitor trust, and overall organizational reputation.

REFERENCES

• https://github.com/advisories/GHSA-cq39-wq4r-hjrj
• https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/Hooks.php#L42
• https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/views/shortcode-iframe.php#L203
• https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=cve