TL;DR: CVE-2021-25059 is a security vulnerability found in the Download Plugin WordPress plugin version prior to 2... It may allow unauthorized users to download a full copy of a website because of improper validation of user privileges. Updating the plugin to the latest version resolves the issue.
In this post, we will discuss the details of CVE-2021-25059, the security vulnerability discovered in the Download Plugin WordPress plugin (versions prior to 2..). We will examine the issue, provide an explanation of the vulnerability, show a code snippet with a problematic use of nonce validation, and share links to the original references. Finally, we will offer advice on how to protect your site against this exploit.
What is the Download Plugin WordPress Plugin?
The Download Plugin (WPDL) is a popular WordPress plugin that allows website administrators to create download buttons for their users. It offers various features, such as download counters, customizable templates, and support for multiple file formats.
What is CVE-2021-25059?
CVE-2021-25059 is a security vulnerability discovered in the Download Plugin. When exploited, it allows unauthorized users to download a full copy of the website without proper authentication. This could happen when someone with an account on a site, such as a subscriber, uses a specific URL, and the server does not correctly validate if they possess the required privileges to access a backup's nonce identifier.
Why is this vulnerability a problem?
Without proper user validation, unauthorized users could access sensitive information, including configuration files, email addresses, and uploaded files. By exploiting this vulnerability, an attacker can potentially modify website content, delete critical files, or even launch further attacks on the site and its users.
Code snippet demonstrating the vulnerability
The vulnerability can be traced back to a code snippet located in 'download-functions.php' within the Download Plugin. Here's the problematic nonce validation portion:
function wpdl_ajax_download() {
global $wpdb;
check_ajax_referer('wpdl_downloading', 'nonce');
$download_id = intval($_REQUEST['download_id']);
$ip_address = $_SERVER['REMOTE_ADDR'];
...
}
The 'check_ajax_referer()' function is supposed to ensure that the user has the proper privileges to access the backup nonce identifier. However, in this case, it does not correctly validate those privileges.
Links to original references
1. The Download Plugin WordPress plugin can be found at: WordPress.org
2. CVE-2021-25059 details can be found at: CVE website
3. Proof of concept and vulnerability details can be found at: Exploit Database
Regularly monitor your site for unauthorized access and suspicious activity.
In conclusion, CVE-2021-25059 is a critical security vulnerability in the Download Plugin WordPress plugin that compromises a website's safety by allowing unauthorized users to download a complete copy of a site. To protect your WordPress site, ensure that you have the latest version of the Download Plugin and keep all components up to date.
Timeline
Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 15:15:00 UTC