CVE-2019-25727

Vulnerability

WordPress Plugin ad manager wd version 1.0.11 contains an arbitrary file download vulnerability. This vulnerability allows unauthenticated attackers to download sensitive files by manipulating the path parameter within GET requests to the edit.php endpoint when the export=export_csv parameter is also present. The vulnerability resides in the plugin's handling of file paths, specifically its failure to properly restrict directory traversal [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to the edit.php endpoint of the affected WordPress site. The request must include the parameters export=export_csv and a malicious path parameter. By manipulating the path parameter, the attacker can specify arbitrary files accessible to the web server, such as wp-config.php, to be downloaded [1].

Impact

Successful exploitation allows an unauthenticated attacker to download arbitrary files from the web server that are accessible by the web server's user. This can lead to the disclosure of highly sensitive information, such as database credentials and other configuration details found in files like wp-config.php, potentially compromising the entire WordPress installation and its underlying data [1].

Mitigation

The vulnerability affects WordPress Plugin ad manager wd versions up to and including 1.0.11. A patch or updated version addressing this vulnerability has not yet been disclosed in the available references. Users are advised to monitor for updates from the plugin vendor. It is not listed on the CISA KEV catalog at this time [1].