14 Jul 2016

Arbitrary Directory Download Vulnerability in Download Theme

Recently we found that the plugin Download Plugin plugin contained an arbitrary directory download vulnerability. The Download Theme plugin is from the same developer and has very similar code, which leads to it having the same vulnerability. Other than the AJAX function and function it connects to being named differently, the only difference is that you don’t need to include a input for the value “f” as well as the directory when making the request to exploit this vulnerability.

Proof of Concept

The following proof of concept will ZIP up the website’s files and prompt you to download them.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-post.php?dtwap_download=../../

Timeline

  • 7/7/2016 – Developer notified.
  • 7/14/2016 – WordPress.org Plugin Directory notified.
  • 7/14/2016 – Removed from WordPress.org Plugin Directory.
  • 7/21/2016 – Version 1.0.3 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.