The Download Manager plugin for WordPress is commonly used to manage and secure downloadable files, including documents, images, and other resources. It allows administrators to set up password-protected downloads to restrict access to certain files. However, a critical vulnerability, CVE-2024-13126, has been discovered that allows unauthenticated users to bypass password protection and download all files from the plugin’s directory, including those that are meant to be password-protected. This vulnerability, stemming from improper directory listing configurations, exposes the protected content to unauthorized users. With over 100,000 active installations, this issue poses a significant security risk to WordPress websites using the Download Manager plugin.
| CVE | CVE-2024-13126 |
| Plugin | Download Manager < 3.3.07 |
| Critical | High |
| All Time | 9 305 211 |
| Active installations | 100 000+ |
| Publicly Published | January 17, 2025 |
| Last Updated | January 17, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13126/ https://wpscan.com/vulnerability/c2c69a44-4ecc-41d1-a10c-cfe9c875b803/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 19, 2024 | Plugin testing and vulnerability detection in the Download Manager have been completed |
| December 19, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 17, 2025 | Registered CVE-2024-13126 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Download Manager plugin. The issue arises from the plugin’s failure to properly secure the directory where the files are stored. When users upload files through the plugin, they are stored in the /wp-content/uploads/download-manager-files/ directory. However, due to improper directory listing configurations, unauthenticated users can access this directory directly. As a result, attackers can bypass any password protection set on the files and download them freely. This vulnerability occurs because the plugin does not prevent unauthenticated users from viewing the contents of the directory, which would otherwise be restricted.
Understanding of XSS attack’s
An unauthenticated password bypass vulnerability occurs when an attacker is able to bypass authentication or access controls without the need for valid credentials. In the case of this vulnerability, the issue lies in the directory listing, where an attacker can enumerate files in a restricted directory without needing a password. Directory listing vulnerabilities occur when a server is configured to reveal the contents of a directory when an invalid or incomplete URL is requested. A real-world example of this kind of vulnerability occurred in earlier versions of the WP File Manager plugin, where unauthorized users could access sensitive files via directory listing. Similarly, CVE-2024-13126 in the Download Manager plugin allows attackers to access and download password-protected files without the required credentials.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13126, an attacker with None privileges:
POC:
1) http://127.0.0.1/wordpress/wp-content/uploads/download-manager-files/____
The risks associated with CVE-2024-13126 are significant, particularly for websites that use the Download Manager plugin to protect sensitive or confidential files. If an attacker can access the directory listing and download protected files, they can steal sensitive data, intellectual property, or confidential business documents. In a real-world scenario, this vulnerability could be exploited by competitors to obtain proprietary content or by malicious actors to steal personal information from users. The exposure of password-protected files could also lead to compliance violations if personal data or financial information is involved. Additionally, since this vulnerability does not require authentication, any user who knows the directory path can exploit it, making it easier for attackers to gain access to sensitive content.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-13126, it is essential for administrators to take immediate action. The first step is to update the Download Manager plugin to the latest version once a patch is released. In addition to updating the plugin, administrators should ensure that directory listings are disabled on the server to prevent unauthorized users from viewing the contents of the /wp-content/uploads/download-manager-files/ directory. This can typically be done by configuring the server’s .htaccess file or other server-side security settings. Additionally, using proper access controls to restrict access to uploaded files is crucial. Administrators should also periodically review the permissions for uploaded files and ensure that password-protected files are properly secured against unauthorized access.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13126, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
