There is an easily exploitable remote code execution vulnerability in a popular WordPress plugin that helps manage file downloads and researchers say the bug could be used by even a low-level attacker to run arbitrary code on a vulnerable site.

The vulnerability is in the WP Download Manager, versions 2.7.4 and lower, and it could be used to implant a backdoor on a vulnerable site or get access to administrative accounts. Researchers at Sucuri discovered the vulnerability and a fixed version of the WP Download Manager plugin was released earlier this week.

“The plugin used a custom method to handle certain types of Ajax requests which could be abused by an attacker to call arbitrary functions within the application’s context. There were no permission checks before handling these special Ajax calls. This allowed a malicious individual (with a minimal knowledge of WordPress internals) to inject a backdoor on the remote site or to change the administrator’s password if the name of his account was known. As this function is hooked to the ‘wp’ hook (which is executed every single time somebody visits a post/page), it could be abused by anyone,” Mickael Nadeau of Sucuri wrote in an analysis of the bug.

WordPress is one of the more popular content management systems in use today and is used both by individuals for small Web sites and by businesses for much larger sites. Attackers often target WP sites that are running vulnerable versions of the software and WordPress sites have been hit by mass code-injection attacks in the past.

The bug in WP Download Manager is caused by an Ajax function that didn’t enforce permission checks.

“Any WordPress based website running the WP Download Manager version would be susceptible to remote code execution. Allowing an attacker to inject a backdoor and change important credentials, like admin accounts,” Nadeau said.

Users running a vulnerable version should update to WP Download Manager 2.7.5.

Categories: Vulnerabilities, Web Security