WordPress Download Plugins and Themes from Dashboard Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress plugin 'Download Plugins and Themes in ZIP from Dashboard', affecting all versions through 1.9.6. The vulnerability arises from inadequate nonce validation in the 'download_plugin_bulk' and 'download_theme_bulk' functions. This flaw allows unauthenticated attackers to create forged requests that, if successful in tricking a site administrator, can archive the site's plugins and themes and save them to the 'wp-content/uploads/' directory.

Impact

Exploitation of this vulnerability could lead to unauthorized archival of a site's plugins and themes, with the archived files being saved to the 'wp-content/uploads/' directory.

Reproduction

To reproduce this vulnerability, an attacker must exploit the missing nonce validation by sending a forged request that includes the 'alg_download_plugin_bulk' or 'alg_download_theme_bulk' parameters. This can be done by tricking a site administrator into clicking a link or performing an action that triggers the request. Once the request is processed, the plugin or theme files will be archived and saved to the 'wp-content/uploads/' directory.

Remediation

Users are advised to update the plugin to version 1.9.7 or a newer patched version.