CVE-2024-9829 – The Download Plugin for WordPress has missing c... (How to Fix)

📋 TL;DR

The Download Plugin for WordPress has missing capability checks that allow authenticated attackers with Subscriber-level access or higher to download any comment and access user metadata including PII, hashed passwords, and session tokens. This affects all WordPress sites using Download Plugin versions up to and including 2.2.0.

💻 Affected Systems

Products:

WordPress Download Plugin

Versions: All versions up to and including 2.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Download Plugin active. Any authenticated user (Subscriber role or higher) can exploit this vulnerability.

📦 What is this software?

Download Plugin by Metagauss

View all CVEs affecting Download Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate all user data including hashed passwords and session tokens, leading to account takeovers, credential stuffing attacks, and complete site compromise.

🟠

Likely Case

Attackers download user metadata containing email addresses, usernames, and potentially hashed passwords, enabling targeted phishing campaigns and credential attacks.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized data access without system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is well-documented with code references available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3170600/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Download Plugin' and click 'Update Now'
4. Verify version is 2.2.1 or higher

🔧 Temporary Workarounds

Disable Download Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate download-plugin

Restrict User Registration

all

Disable new user registration to limit potential attackers

Settings → General → Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Implement strict network access controls to limit WordPress admin access to trusted IPs only
Enable detailed logging of all plugin activity and user data access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Download Plugin version

Check Version:

wp plugin get download-plugin --field=version

Verify Fix Applied:

Verify Download Plugin version is 2.2.1 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual download requests to dpwap_handle_download_user or dpwap_handle_download_comment endpoints
Multiple user metadata access attempts from single accounts
Subscriber-level users accessing admin functions

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action parameters containing dpwap_handle_download
Unusual data exfiltration patterns from WordPress instances

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND action="dpwap_handle_download_*")

📊 Metadata

CVE ID: CVE-2024-9829

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

Published: October 23, 2024

Last Updated: October 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9829, you might also want to check these: