Udayavni Special

WordPress found few vulnerabilities: Know how to fix them


Team Udayavani, Aug 1, 2021, 12:32 PM IST

Two vulnerabilities have been found in the WordPress plugin that was installed on over 1,00,000 websites. WordPress Download Manager, the plugin is used to change how download pages are displayed.

The Wordfence Threat Intelligence team found the vulnerabilities.

WordPress Download Manager has some protections in place to protect against directory traversal, they did not prove to be sufficient in this particular case, leading to a contributor with lower privileges being able to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack.

The contents of the wp-config.php were visible in the page’s source code upon previewing the download and as the contents of the file were echoed out onto the page source, a user with author-level access could also upload a file or multimedia containing malicious JavaScript and set the contents of the file to the path of the uploaded file which could result in Stores Cross-Site Scripting.

Earlier, the WordPress Download Manager team had patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially malicious files. But reports stated that this patch protected many configurations, it only checked the last file extension that made it possible for an attacker to carry out a “double extension” attack by uploading a file with multiple extensions like info.php.png.

Website owners who use WordPress are advised to update to the latest version immediately as the WordPress team and developers have released a patch.

Udayavani is now on Telegram. Click here to join our channel and stay updated with the latest news.

Top News

”Dose of hope”: Biden pushing rich nations to share vaccine

“Great honour”, says Kasturirangan on heading school curriculum panel

Man uploads morphed pic of girlfriend and her family, arrested

Trojan posing as IT refund skulking to attack Android phone bank customers

‘Induction can’t be postponed by one year’: SC rejects Centre’s plea to defer NDA exams for women

Karnataka Assembly passes three bills related to GST, T&P and online gambling

Rohan Monteiro buys Karnataka’s first Bentley Bentayga V8 SUV

Related Articles More

Trojan posing as IT refund skulking to attack Android phone bank customers

NASA selects Moon site for ice-hunting rover

Amazon India to offer voice shopping experience in Hindi soon

C-DOT developing tech to tap all media for broadcasting disaster alerts

Amazon adds 3 Indic languages for seller registration, account management services

MUST WATCH

Custard apple plants in chittapura

How To Make Betel Leaf Garland For God

Fire breaks at residential appartment in bengaluru

protest of safai karmachari at raichuru

LIVE : Karnataka Assembly Session 21-09-2021| Afternoon Session


Latest Additions

India’s oldest mosque basks in past glory after renovation; set for reopening

Supreme Court rejects Padmanabhaswamy Temple Trust’s plea seeking exemption from audit

”Dose of hope”: Biden pushing rich nations to share vaccine

“Great honour”, says Kasturirangan on heading school curriculum panel

Man uploads morphed pic of girlfriend and her family, arrested

Thanks for visiting Udayavani

You seem to have an Ad Blocker on.
To continue reading, please turn it off or whitelist Udayavani.