CVE-2024-13126 Scanner

The WordPress Download Manager is a widely used plugin for the WordPress platform, which allows users to manage files and documents downloads. It's especially popular among bloggers, small business owners, and administrators managing websites that handle a lot of file distribution. The software enables users to create secure download links and manage user roles involved in downloading tasks. Various businesses utilize this plugin to safely offer both free and premium content to their users. It’s designed for WordPress sites, providing administrators with fine-grained control over how files are accessed and distributed. As an add-on to WordPress, it is tightly integrated and follows WordPress standards for data management and user interaction.

The vulnerability in question refers to improper access controls that allow unauthenticated directory listings in the WordPress Download Manager plugin. Specifically, it doesn't restrict access to directories on servers that don't employ htaccess files, exposing potentially sensitive files. Attackers could exploit this flaw to list files stored in the download-manager-files directory. This situation arises due to a lack of authorization enforcement and failure to use directory controls to hide contents from public view. Given the popularity of WordPress and this plugin, such a vulnerability could lead to widespread unauthorized data exposure if left unpatched. Thus, it's crucial for administrators using this plugin to become aware of such security weaknesses.

Technically, the vulnerability manifests when a GET request is made to a particular URL endpoint associated with the plugin. If the server doesn't employ directory restrictions like htaccess on the '/wp-content/uploads/download-manager-files/' directory, files listed therein become exposed. The issue is primarily detected by scanning for certain key indicators in the HTTP response, such as the presence of index markers. Listing the files this way doesn't require any form of authentication, making it a critical oversight in secure data handling practices. The matcher checks for the presence of both 'Index of /wp-content/uploads/download-' and 'Last modified' in the HTTP response to confirm visibility of the directory content.

The exploitation of this vulnerability could lead to significant security implications. Unauthorized users could access sensitive files meant for restricted distributions, thereby breaching data integrity. This exposure might involve confidential documents, private keys, user details, or other sensitive data stored within the plugin's folders. Businesses relying on the plugin to manage their download distributions could face trust and compliance issues if customer data is inadvertently exposed. Additionally, this vulnerability might serve as an entry point for further exploitation, a stepping stone to deeper network privileges if sensitive information such as credentials were exposed and exploited.

REFERENCES

• https://wpscan.com/vulnerability/c2c69a44-4ecc-41d1-a10c-cfe9c875b803/
• https://research.cleantalk.org/cve-2024-13126/
• https://nvd.nist.gov/vuln/detail/CVE-2024-13126