ADVISORY: Multiple Vulnerabilities in WordPress Download Manager Plugin Could Allow Remote Code Execution

Friday, December 5, 2014

This message is intended for U-M IT staff who are responsible for maintaining and running WordPress.org websites and/or blogs. A security vulnerability was announced today that requires immediate remediation. Please read the advisory below to see if servers for which you are responsible are affected and take action if appropriate.

Summary: 

Multiple vulnerabilities in the WordPress Download Manager plugin could allow remote code execution. WordPress Download Manager is a file and document management plugin for the WordPress content management system.

Problem: 

Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.

Affected Systems: 

WordPress Download Manager Plugin. Versions prior to 2.7.5 are vulnerable.

Action Items: 

Update the plugin to the current version, 2.7.5.

In addition, we recommend the following actions be taken:

  • Review and follow WordPress hardening guidelines
  • Confirm that the operating system and all other applications on the server running WordPress are updated with the most recent patches.
  • Run all software as a non-privileged user to diminish effects of a successful attack.
Threats: 

Vulnerability exploitation details are readily available online.

Technical Details: 

WordPress Download Manager is prone to multiple vulnerabilities including one that could allow for remote code execution due to a failure to sanitize user-supplied input submitted to the ‘execute’ parameter of the 'wpdm_ajax_call_exec()' function. A remote file-include vulnerability also exists because it allows the uploading of arbitrary files to the '/file-type-icons/' directory. Specifically, this issue affects the 'wpdm_upload_icon()' function. Successful exploitation of these vulnerabilities could result in an attacker being able to execute arbitrary code in the context of the web server process or could allow for the uploading of arbitrary files. This may allow an attacker access to sensitive information and compromise the application.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.