On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability Wordfence discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites.
This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.
Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.
Wordfence attempted to reach out to the developer on July 8, 2022, the same day we discovered the vulnerability. They never received a response so they sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day on July 27, 2022.
They strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.
