CVE-2024-13126 Scanner

WordPress Download Manager is a popular plugin that allows site owners to manage, track, and restrict file downloads on their websites. It is widely used in WordPress-based websites for distributing documents, software, images, and other downloadable content. The plugin includes features like file access control, password protection, and download statistics. Administrators use it to deliver secure content to registered users, customers, or team members. It supports directory-based file management and allows uploads into designated plugin-managed folders. Despite these controls, web server configuration plays a critical role in determining file accessibility.

This scanner detects a medium-severity directory listing vulnerability in WordPress Download Manager versions prior to 3.3.07. The vulnerability arises due to the plugin not preventing directory listing on web servers that do not utilize `.htaccess` protections. Specifically, the `download-manager-files` directory under the `uploads` path becomes accessible to unauthenticated users. This allows attackers to browse the directory contents and potentially download sensitive or private files. Since this misconfiguration is dependent on the server’s directory listing behavior, it may not affect all installations uniformly. However, where exposed, it presents a significant privacy and data leakage risk.

Technically, the vulnerability is located at `/wp-content/uploads/download-manager-files/`, a directory where files managed by the plugin are stored. When accessed on servers lacking directory listing restrictions, the server returns an index page showing all available files. This includes their names, sizes, and last modified timestamps. The scanner sends a simple GET request to this directory and analyzes the response body for directory listing indicators such as "Index of" and "Last modified". If these terms are present along with an HTTP 200 status, the vulnerability is confirmed. The plugin fails to block directory listing by default, relying on server configuration for protection.

If successfully exploited, attackers can access and download files intended to be private, including invoices, customer records, proprietary documents, or software builds. This data exposure can lead to compliance violations, competitive disadvantage, or reputational damage. Publicly accessible directories can also be indexed by search engines, worsening the impact. In some cases, attackers may gather intelligence for more targeted attacks. It’s a clear case of security misconfiguration that should be addressed both at the application and server configuration levels.

REFERENCES

• https://wpscan.com/vulnerability/c2c69a44-4ecc-41d1-a10c-cfe9c875b803/
• https://research.cleantalk.org/cve-2024-13126/
• https://nvd.nist.gov/vuln/detail/CVE-2024-13126