CVE-2024-13544
📋 TL;DR
The Zarinpal Paid Download WordPress plugin through version 2.3 has improper file upload validation, allowing administrators to upload arbitrary files even when restricted in multisite configurations. This affects WordPress sites using the vulnerable plugin version, particularly in multisite setups where admin privileges are more widely distributed.
💻 Affected Systems
- Zarinpal Paid Download WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could upload malicious files like web shells, leading to complete server compromise, data theft, or ransomware deployment.
Likely Case
Malicious administrators or compromised admin accounts upload backdoors or malware to maintain persistence or exfiltrate data.
If Mitigated
With proper access controls and file upload restrictions, impact is limited to unauthorized file storage without execution.
🎯 Exploit Status
Exploitation requires admin credentials; trivial to exploit once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4 or later
Vendor Advisory: https://wpscan.com/vulnerability/91884263-62a7-436e-b19f-682b1aeb37d6/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Zarinpal Paid Download plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate zarinpal-paid-download
Restrict File Uploads
linuxImplement server-side restrictions on file uploads in web server configuration.
# In .htaccess for Apache:
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# In nginx config:
location ~* \.(php|phtml|php3|php4|php5|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
🧯 If You Can't Patch
- Remove admin access from untrusted users and implement strict access controls.
- Monitor file upload directories for suspicious files and implement file integrity monitoring.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Zarinpal Paid Download version number.Check Version:
wp plugin get zarinpal-paid-download --field=versionVerify Fix Applied:
Confirm plugin version is 2.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to plugin directories
- Admin users uploading executable files
- HTTP POST requests to upload endpoints with suspicious file extensions
Network Indicators:
- POST requests to /wp-content/plugins/zarinpal-paid-download/ upload endpoints
- Unusual outbound connections from server after file uploads
SIEM Query:
source="web_server" AND (url="*zarinpal-paid-download*" AND method="POST") AND (user_agent="*admin*" OR user="*admin*")