Download Media Library <= 0.2.1 - Unauthenticated Sensitive Information Exposure
Description
The Download Media Library plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.2.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=0.2.1As source files for the **Download Media Library (<= 0.2.1)** plugin are not provided, this research plan is based on the vulnerability description (Unauthenticated Sensitive Information Exposure) and common architectural patterns in WordPress "download" plugins. The plan guides the automated agent …
Show full research plan
As source files for the Download Media Library (<= 0.2.1) plugin are not provided, this research plan is based on the vulnerability description (Unauthenticated Sensitive Information Exposure) and common architectural patterns in WordPress "download" plugins. The plan guides the automated agent to identify the specific exposure point and exploit it.
1. Vulnerability Summary
The Download Media Library plugin is designed to facilitate bulk downloading of media files. The vulnerability (CVE-2025-62114) is likely caused by an unauthenticated AJAX or REST API endpoint that returns sensitive data (such as user details, site configuration, or internal file paths) without performing capability checks (current_user_can) or authentication. Because it is "Unauthenticated Information Exposure," the entry point is almost certainly a wp_ajax_nopriv_* hook or a REST route with a permission_callback that returns __return_true.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php(for AJAX) orwp-json/(for REST API). - Action/Route (Inferred): Likely actions include
dml_download_all,dml_export_data, ordml_get_media_list. - Parameter: A
nonce(if required) and possibly parameters liketype,limit, orid. - Authentication: None required (unauthenticated).
3. Code Flow (Target Patterns)
The researcher agent must locate the following flow in the plugin directory (/wp-content/plugins/download-media-library/):
- Entry Point Identification:
- Search for unauthenticated AJAX:
grep -rn "wp_ajax_nopriv_" . - Search for REST routes:
grep -rn "register_rest_route" .
- Search for unauthenticated AJAX:
- Logic Trace:
- Find the function callback associated with the unauthenticated hook.
- Look for sensitive sinks:
$wpdb->get_results("SELECT ... FROM $wpdb->users")(User exposure).get_options()without filtering (Config/Secrets exposure).readfile()orfile_get_contents()with user-controlled input (File exposure).- Direct
echoorwp_send_json()of sensitive internal arrays.
4. Nonce Acquisition Strategy
If the unauthenticated endpoint requires a nonce, follow these steps to extract it:
- Find Nonce Creation: Search for
wp_create_noncein the plugin code to find the action name. - Find Localization: Search for
wp_localize_scriptto see which JS variable holds the nonce.- Guess (Inferred):
window.dml_vars?.nonceorwindow.download_media_library_ajax?.nonce.
- Guess (Inferred):
- Identify Trigger: Look for
add_shortcodeto find what triggers the script/nonce to load on the frontend. - Extraction Procedure:
- Create a page containing the plugin's shortcode:
wp post create --post_type=page --post_status=publish --post_content='[dml_shortcode_name]'(Replace with actual name found). - Navigate to the new page using
browser_navigate. - Execute JS to retrieve the nonce:
browser_eval("window.DML_OBJECT_NAME.nonce_key")(Replace with actual identifiers).
- Create a page containing the plugin's shortcode:
5. Exploitation Strategy
Once the endpoint and nonce are identified, the agent will perform the following:
HTTP Request (Example for AJAX-based exposure):
- Method: POST
- URL:
http://<target>/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=dml_vulnerable_action&nonce=EXTRACTED_NONCE&other_param=value
HTTP Request (Example for REST-based exposure):
- Method: GET
- URL:
http://<target>/wp-json/download-media-library/v1/sensitive-data?_wpnonce=EXTRACTED_NONCE
6. Test Data Setup
To ensure the vulnerability is reproducible:
- Media Upload: Upload at least 3 files to the media library to ensure the plugin has data to "process."
wp media import /path/to/image.jpg --title="Secret File" - User Creation: Create a dummy user to see if their data (email/hash) is exposed.
wp user create victim victim@example.com --role=author - Shortcode Page: (If a nonce is needed) Create the page identified in Section 4.
7. Expected Results
- Successful Exploitation: The HTTP response body (JSON or raw text) contains sensitive information not normally available to guests.
- Target Data: Look for keys like
user_login,user_email,db_password,abspath, or sensitive file contents in the response.
8. Verification Steps
After the http_request tool receives the data, confirm its validity:
- If user data is returned, check if the emails match the output of:
wp user list --fields=user_email - If file paths are returned, verify the files exist:
ls -la [PATH_FROM_EXPLOIT] - If configuration data is leaked, verify against
wp option get [OPTION_NAME].
9. Alternative Approaches
- Path Traversal: If the "Information Exposure" involves file downloads, try to request
/etc/passwdorwp-config.phpusing parameters likefile=../../../../wp-config.php. - SQL Injection: If the information exposure happens via a database query, check if any parameters used in the query are unsanitized, which could lead to a full database dump.
- Debug Logs: Check if the plugin accidentally exposes a path to a custom log file containing sensitive transaction data.
Summary
The Download Media Library plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to 0.2.1. This occurs because the plugin exposes AJAX or REST API endpoints without proper authentication or capability checks, allowing unauthenticated users to retrieve sensitive data such as user details or site configurations.
Exploit Outline
1. Identify the unauthenticated endpoint registered by the plugin, likely through an AJAX action (via `wp_ajax_nopriv_`) or a REST API route with a permissive `permission_callback` returning `true`. 2. Determine if a security nonce is required for the request. If so, locate a frontend page where the plugin's scripts are enqueued (often via a shortcode) and extract the nonce from the localized JavaScript variables (e.g., from `wp_localize_script` output). 3. Send a request to the identified endpoint (e.g., a POST request to `/wp-admin/admin-ajax.php` with the relevant action parameter). 4. The server's response will contain sensitive information, such as lists of users, internal file paths, or site configuration options, which are normally restricted to authenticated administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.