The alterSearchQuery used by CreativeMinds CM Downloads Manager plugin prior to version 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code.
Exploitation
Stages
- The malicious user sends a malicious search request to the CM Downloader plugin.
- The CM Downloader plugin sends the query to be processed by CmdownloadController.php.
- The result of the malicious search request is sent back to the malicious user.
Prerequisites
Unauthenticated remote access to the web server is required to exploit the application vulnerability.
Vulnerability Description
The alterSearchQuery function in “lib/controllers/CmdownloadController.php” used by the CreativeMinds CM Downloads Manager plugin prior to version 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code. This is due to the CMDsearch parameter’s data being processed by the PHP create_function function.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:
- Isolate the compromised device from the network.
- Wipe and reinstall the device from secure media.
- Patch the vulnerability from a trusted source (or otherwise mitigate with FW, config, etc.).
- Replace data from backups.
- Test the device.
Comments
0 comments
Please sign in to leave a comment.