Not Just Another Broken Link…
Check Point researcher Dikla Barda recently discovered critical vulnerabilities in two widely used WordPress plugins: the Broken Link Checker and the Download Manager. These vulnerabilities allow:
- Access to private data by unauthenticated users via Path Traversal.
- Execution of malicious code and theft of user sessions via a stored XSS vulnerability.
Both plugins are widely deployed over 1.4 million web sites & they already issued a patch for these vulnerabilities.
Vulnerable WordPress plugins:
Broken Link Checker
Broken Link Checker is a plugin that monitors links on a website, including all pages, posts, and comments. Broken Link Checker notifies the administrator of any broken links that are found.
This plugin is very popular with WordPress website owners. There are over 400,000 active installations of the Broken Link Checker plugin, and more than 3 million downloads.
Download Manager is a plugin for managing files and documents. It is used as a complete e-commerce solution for selling digital products. There are over a million installations of Download Manager world-wide.
Description of the Vulnerabilities
Broken Link Checker
The Download Manager plugin by default uses an add-on called Extended Short-codes. This generates a tree view of the server categories and current packages, allowing the administrator to navigate manually for any required data.
The add-on exposes a severe vulnerability that allows a malicious and unauthenticated user to browse the file system.
Researchers at Check Point discovered that by sending a crafted post request allows the user to view the content of any folder on the web server.
- The request vulnerability:
Within the site’s posting parameters, a user can request to view any directory from the webserver. An unauthorized user can send the same post request for any location on the server file system.
This example shows a request for the /etc/ folder:
The not-so-surprising result:
Attackers can use this method to get sensitive information from the server.
How can you protect your system against these vulnerabilities?
Check Point IPS currently protects against exploitation attempts of these vulnerabilities.
- “WordPress Download Manager Plugin Information Disclosure”
- “WordPress Broken Link Checker Plugin Cross-Site Scripting”
Check Point recommends updating your plugins to the latest version.
For the Broken Link Checker – v1.10.8 available here: https://wordpress.org/plugins/broken-link-checker/
For the Download Manager – v2.7.92 available here: https://wordpress.org/plugins/download-manager/