CVE-2021-34639 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2021-34639?

CVE-2021-34639 has a CVSS score of 7.5 (HIGH). This vulnerability allows authenticated WordPress users with Author+ permissions to upload files with double extensions (like 'payload.php.png') that may execute as PHP code depending on server configuration. It affects WordPress Download Manager plugin versions 3.1.24 and earlier. Attackers could upload malicious files that execute arbitrary code on the server.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Author+ permissions to upload files with double extensions (like 'payload.php.png') that may execute as PHP code depending on server configuration. It affects WordPress Download Manager plugin versions 3.1.24 and earlier. Attackers could upload malicious files that execute arbitrary code on the server.

💻 Affected Systems

Products:

WordPress Download Manager

Versions: 3.1.24 and prior versions

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires server configuration that executes files with double extensions as PHP (common in some Apache/Nginx setups).

📦 What is this software?

Download Manager by W3eden

View all CVEs affecting Download Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Authenticated attackers upload web shells to gain persistent access and execute arbitrary commands.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and authenticated users could exploit this remotely.

🏢 Internal Only: MEDIUM - Internal attackers with Author+ WordPress accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Author+ WordPress account. Proof of concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.25

Vendor Advisory: https://wordpress.org/plugins/download-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WordPress Download Manager. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.25+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Restrict File Upload Extensions

all

Configure web server to block execution of files with double extensions or restrict uploads to non-executable file types.

# Apache: Add to .htaccess
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)\.(png|jpg|gif|txt)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* \.(php|php3|php4|php5|phtml|pl|py|jsp|asp|htm|html|shtml|sh|cgi)\.(png|jpg|gif|txt)$ {
  deny all;
}

Remove Author+ Upload Permissions

all

Temporarily remove file upload capabilities from Author+ user roles until patched.

# Use WordPress role editor plugin or add to functions.php
add_filter('map_meta_cap', 'remove_author_uploads', 10, 4);
function remove_author_uploads($caps, $cap, $user_id, $args) {
  if ($cap === 'upload_files') {
    $user = get_userdata($user_id);
    if ($user && in_array('author', $user->roles)) {
      $caps[] = 'do_not_allow';
    }
  }
  return $caps;
}

🧯 If You Can't Patch

Disable WordPress Download Manager plugin completely until patched.
Implement web application firewall (WAF) rules to block file uploads with double extensions.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for WordPress Download Manager version. If version is 3.1.24 or lower, you are vulnerable.

Check Version:

# WordPress CLI
wp plugin list --name='download-manager' --field=version
# Or check wp-content/plugins/download-manager/readme.txt

Verify Fix Applied:

After updating, verify WordPress Download Manager version is 3.1.25 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple file upload attempts with double extensions in web server logs
POST requests to /wp-admin/admin-ajax.php with 'action=wpdm_upload_file' containing suspicious filenames
Unauthorized PHP file execution in upload directories

Network Indicators:

HTTP POST requests uploading files with double extensions to WordPress admin endpoints
Unusual outbound connections from web server after file uploads

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data="action=wpdm_upload_file") AND (filename="*.php.*" OR filename="*.phtml.*" OR filename="*.phar.*")

📊 Metadata

CVE ID: CVE-2021-34639

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-646

Published: August 5, 2021

Last Updated: March 21, 2025

🔗 References

https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/ Third Party Advisory
https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34639, you might also want to check these: