Vulnerabilities Discovered in the 3DPrint Premium Plugin

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. We are also sharing information on this vulnerability over on the Jetpack blog. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories on the affected sites, including sensitive files like the site configuration files, which could lead to a full site takeover.

Recently, while looking over some potential false positives flagged by our experimental signatures, the WPScan research team discovered puzzling code in the 3DPrint premium plugin.

This snippet was found in the Tiny File Manager PHP module located within the include directory of the plugin, but is not found in the original Tiny File Manager project. The intention seems to inject with the goal to integrate it with the WordPress role-based access controls. 

Loading WordPress code files like this in an unrelated module is usually a sign that something is a bit off, so we decided to investigate further.

The observant reader will notice that access to the module is limited to users with the Administrator role, but there are no nonce checks. That would be ok if Tiny File Manager had its own CSRF protection, but as this was not the case, it looks like this code may be susceptible to a CSRF attack. (Tiny File Manager has since added CSRF protection after we made them aware of the issue. Version 2.5.0 and later should be a lot safer to use!)

A complicating factor is that Tiny File Manager is not included in the package when installing 3DPrint premium but is downloaded on demand when activated. The version downloaded at the time of writing is version 2.4.4, but it has been heavily modified by the 3DPrint developers, and is downloaded from their domain, not directly from the Tiny File Manager repositories.

Most of the changes made remove functionality not used by the plugin, as well as a few other changes, like hard-coding the path, and limiting what the file manager should be able to access. In addition, the authentication and authorization features built into Tiny File Manager have been disabled and replaced by the above integration with the WordPress role system.

We have discovered a couple of vulnerabilities where the combination of the modified access controls and inclusion of the Tiny File Manager in the 3DPrint plugin becomes exploitable to an outside attacker. This includes deleting or downloading sensitive files, potentially allowing for a full site takeover. These vulnerabilities exploit the lack of nonce checks in the modified access controls, along with directory traversal vulnerabilities in Tiny File Manager itself.

The WPScan team have tried to contact the vendor of both the 3DPrint plugin and the Tiny File Manager project. Only the developers of the Tiny File Manager project have responded to us and fixed the issues we submitted to them.

As the Tiny File Manager module is downloaded and installed on demand, there’s not necessarily a correspondence between the plugin version and the version of Tiny File Manager being used. However, once installed, there does not seem to be an easy way to update the Tiny File Manager module apart from manually deleting it and activating it again.

For this reason, we consider all versions of 3DPrint to be vulnerable to the below vulnerabilities if the file manager has been activated.

Further Details on The vulnerabilities

1. CSRF leading to arbitrary file/directory deletion

The mass delete functionality in the included version of Tiny File Manager (version 2.4.4) is not properly protected against directory traversal and also lacks CSRF protections. This allows an attacker to trick an admin into deleting multiple files or even directories on the server recursively. 

This can be exploited by passing the group and delete POST parameters to any value, and passing an array of files/directories to delete in the file parameter. The variable $new_path is a simple concatenation of the FM_ROOT_PATH and the passed in filename, passed to the recursive delete function fm_rdelete(). As fm_rdelete() does not do any validation of the pathnames it’s given, this makes this code vulnerable to a directory traversal attack.

Here’s an example proof of concept: 

All paths are relative to the wp-content/uploads/p3d/ directory on the server. When any logged-in admin clicks the button to get rich, their uploads from 2020 will be deleted along with the sites wp-config.php file. 

2. CSRF leading to arbitrary downloads

The functionality in the included version of Tiny File Manager (version 2.4.4) to download a zip or tar archive of selected files is not protected against directory traversal and lacks CSRF protections. This allows an attacker to trick an admin into creating a zip or tar archive with arbitrary files and directories from the site, including configuration files or other sensitive content.

The archive is placed in the normal 3DPring upload directory, wp-content/uploads/p3d/. The file name is only partially controllable by the attacker but is predictable enough that it should be relatively easy to brute force. If they know at what time the forged request was sent it should also be trivial to make an educated guess.

By sending a post request with the group and either the zip or tar variables set to any value will create an archive with the files specified in the file parameter. The current date and time will be appended to the file name for the archive, which will have the same base name as the file archived, or “archive” if several files are archived together. The archive will be created in the 3DPrint upload directory, but the path names of the files are not sanitized, and can contain paths outside this directory, making it vulnerable to directory traversal attacks.

To exploit this vulnerability, we created a simple payload module for Metasploit that serves as a self-submitting form with the malicious payload to the vulnerable site. The proof of concept payload sent was:

As the Metasploit module would record the timestamp of when the form was sent, that made it easy to guess the correct filename for the archive created.

Notice how we can deduce the filename of the generated archive from the timestamp of the request. In this case, the server container is running one timezone behind the local timezone.


As the version of the file manager installed is independent of the version of the plugin installed, we cannot recommend a fixed version of the plugin. 

Neither have we found an easy way to update the file manager module if a new version is released at a later date.

For this reason, we consider all versions of the 3DPrint premium plugin vulnerable if the file manager component is enabled.

Our recommendation is to make sure the file manager module is disabled, and that the file is removed from the site.

The easiest way is to delete the file wp-content/plugins/3dprint/includes/ext/tinyfilemanager/tinyfilemanager.php if it exists.


All versions of the 3DPrint premium plugin are vulnerable to CSRF and directory traversal attacks if the file manager module is enabled on the site. This does not affect the free version of the plugin downloaded from the plugin repository.

The Jetpack WPScan team work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. As we have cataloged tens of thousands of WordPress vulnerabilities, we recommend that enterprises make use of WPScan to flag vulnerabilities mapped to your website(s). Additionally, the Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.


Research by Harald Eilertsen, with feedback and corrections provided by Benedict Singer, Rob Pugh, Jen Swisher and the Jetpack Scan team.


  • 2022-09-08: We were made aware of the finding and started investigating
  • 2022-10-25: Contacted vendor first time
  • 2022-11-01: Vendor contacted second time through a different channel
  • 2022-11-08: Mass delete vulnerability disclosed (CVE-2022-3899)
  • 2022-11-15: Contacted developers of Tiny File Manager about lack of CSRF protection, and directory traversal vulnerabilities.
  • 2022-11-19: Tiny File Manager 2.5.0 released, fixing CSRF issues but not the directory traversal problems.
  • 2022-12-13: Public disclosure

Harald Eilertsen

Harald is a Certified Systems Security Professional (CISSP) with a wide background from software development and the security industry. He has a Master of Science in analog microelectronics from the Norwegian University of Science and Technology (NTNU), and has worked for companies such as Norman, Tandberg and Cisco before joining the Jetpack Scan team at Automattic.

Leave a Reply