Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload

Vulnerability

The Z-Downloads WordPress plugin before version 1.11.5 fails to properly validate uploaded files, allowing high-privilege users such as administrators to upload arbitrary file types to the server. This bypasses intended restrictions, particularly in multisite configurations where such uploads should be limited [1].

Exploitation

An attacker with administrator-level access can exploit this vulnerability by uploading a malicious file (e.g., a PHP web shell) through the plugin's file upload functionality. No additional user interaction is required beyond the attacker's own actions [1].

Impact

Successful exploitation enables the attacker to upload arbitrary files, potentially leading to remote code execution if a web shell is uploaded. This can result in full site compromise, including data theft, defacement, or further lateral movement within the server environment. In multisite setups, the vulnerability undermines intended privilege restrictions [1].

Mitigation

The vulnerability is fixed in version 1.11.5 of the Z-Downloads plugin. Users should update to this version immediately. No workarounds are documented, and the issue is not listed on CISA's Known Exploited Vulnerabilities catalog [1].