False Vulnerability Report: WP-DownloadManager Arbitrary File Upload Vulnerability
As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.
One thing we frequently see coming up with false reports of vulnerabilities is people not understanding that certain activities are not always a vulnerability. One serious type of vulnerability is an arbitrary file upload vulnerability, which allows someone to upload any file. That could be used to upload a .php file with malicious code and then do basically anything with the website. In WordPress an Administrator level user would normally have the equivalent capability since the can upload new plugins and themes, so it wouldn’t be a vulnerability for a plugin to allow them to do the same.
That brings to a report claiming there is an arbitrary file upload vulnerability in the plugin WP-DownloadManager. The proof of concept for this says “Unrestricted File Upload In Admin Panel You Can Upload shell.php” and indicates the page to visit for this is http://localhost/wp/wp-admin/admin.php?page=wp-downloadmanager/download-add.php. A quick checked showed that this page is only accessible by Administrator level users, for which this wouldn’t be a vulnerability.
To get more technical, access to that page is restricted to users that have “manage_downloads” capability, as seen in the file /wp-downloadmanager.php:
53 | add_submenu_page('wp-downloadmanager/download-manager.php', __('Add File', 'wp-downloadmanager'), __('Add File', 'wp-downloadmanager'), 'manage_downloads', 'wp-downloadmanager/download-add.php'); |
The “manage_downloads” capability is adding to Administrator role later in the file:
1587 1588 1589 1590 1591 | // Set 'manage_downloads' Capabilities To Administrator $role = get_role('administrator'); if(!$role->has_cap('manage_downloads')) { $role->add_cap('manage_downloads'); } |
The page also proper utilizes a nonce, so cross-site request forgery (CSRF) is not possible on that page.