WordPress is the backend to many websites across the world. It has been found that one WordPress plugin that was installed on over 1,00,000 websites has two separate vulnerabilities. The plugin, called WordPress Download Manager is used to change how dowload pages are displayed. The vulnerabilities were found by The Wordfence Threat Intelligence team and pertain to the attacker achieving authenticated directory traversal. Now, the WordPress Download Manager has some protections in place to protect against directory traversal, they did not prove to be sufficient in this particular case.
Before this, the WordPress Download Manager team had patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially malicious files. Although this patch protected many configurations, it only checked the last file extension that made it possible for an attacker to carry out a “double extension” attack by uploading a file with multiple extensions like info.php.png.
The Wordfence Threat Intelligence Team had disclosed its findings to the WordPress team in May and the developers released a patch the following day. Website owners who use WordPress are advised to update to the latest version immediately.