One of the changelog entries for version 4.5.9 of the WordPress plugin Download Monitor, which was released last week, is:

Fixed: Security issues regarding file downloads and download titles

As that plugin is used by at least one customer of our main service, we reviewed the changes to see if that was related to a vulnerability that we should be warning them about and if it was fixed.

What that appears to relate to in part is restricting what files can be set to be downloaded through the plugin. Specifically, code was added to restrict downloading several files:

267
268
269
270
271

$restricted_files = array(
	'wp-config.php',
	'.htaccess',
	'php.ini',
);

And restrict downloading files outside the root directory of the website:

296

// If ABSPATH is not completly in the file path it means that the file is not in the root of the site, so return empty string.

As normally only Administrators would have access to that capability, this wouldn’t be a vulnerability unless you were to give lower-level users access. If you were to give lower-level users access, though, there would still would seem to be a security issue, even with those restrictions.

After reviewing that, we notified the developer that there were a couple of remaining issues with what appear to be their new security model and offered to help address those. We have yet to hear back from them about that and they have not been addressed so far.

We were then waiting for someone to put out a report claiming this was a vulnerability, to see if they were able to make the case this was a vulnerability. It turns out someone already did five months ago, but also claimed the issue had been addressed then.

One of our competitors, Patchstack, has an entry with a listed disclosure date of October 29 that claims the plugin had had an “Authenticated Arbitrary File Download vulnerability”:

There is almost no detail provided, but it is claimed that it was addressed in version 4.4.7, which was released on October 29:

Update the WordPress Download Monitor plugin to the latest available version (at least 4.4.7).

A linked CVE entry, CVE-2021-31567, credited to Patchstack, states this:

Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It’s also possible to escape from the web server home directory and download any file within the OS.

That matches up with the changes just made. So what is going on there? One possibility is that the change was made and then undone, but looking at the changes made in version 4.4.7, it doesn’t look like there was an attempt to address this. Testing version 4.4.7, we didn’t find any restriction on doing the things mentioned there.

Patchstack markets their service with a claim security experts verify their information:

Hand curated, verified and enriched vulnerability information by Patchstack security experts.

Yet, looking at this situation, they don’t even seem to be doing any close to that.

WPScan Too

Another of our competitors markets themselves with this:

Enterprise-strength WordPress protection for everyone

And this:

Dedicated team of WordPress security experts

And yet they are also claiming the issue was addressed in version 4.4.7 despite it appearing that nothing supports that whatsoever:

They also are confusingly claiming it was fixed in version 4.4.5 as well.

How would a team of security experts fail that badly?

Why are Patchstack and WPScan CVE Number Authorities (CNAs)?

Patchstack could create a CVE entry because they are CVE Number Authority (CNA). CVE describe those in this way:

In general, CNAs are vendors or other seasoned organizations with a record of researching vulnerabilities and demonstrating security advisory capabilities. They commonly have an established user base, and their security information is regularly consulted by researchers and vendors. They may also be well-established bug bounty hunters.

An onboarding process has been established to ensure that CNAs meet the standards of the CVE program. Potential CVE analysts and CNA candidates are given strict instructions for vetting vulnerabilities, including a wide range of examples and exercises. Should a CNA demonstrate the appropriate level of expertise and communication required, they are approved and become operational.

By any reasonable measure, that doesn’t describe Patchstack or other CNAs we have run across. Nor does it describe WPScan, which is also a CNA.

More Issues Here

Patchstack has another entry for that version of Download Monitor, which claims that there was a vulnerability involving actions taken by an Administrator:

Again, it is incredibly vague, but a related CVE entry, CVE-2021-23174, fills in more details:

Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].

The post_title parameter mentioned there is controlled by WordPress, not the plugin, and being able to do the equivalent of XSS is controlled by the unfiltered_html capability. That is something WordPress security experts would be aware of.

In general, doing what is claimed there wouldn’t be a vulnerability for Administrators (presumably that is what they mean by “admin+”), since they are allowed to do almost anything.

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade