• Advisory ID: DRUPAL-SA-2008-054
  • Project: Plugin Manager (third-party module)
  • Versions: 6.x
  • Date: 2008-September-24
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass


The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website.

An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager.

This risk is only present under insecure configurations where the web server has permission to delete files. The recommended file permissions are described in the drupal.org handbook at http://drupal.org/node/244924.

Versions affected

All versions prior to Plugin Manager 6.x-1.2.

Drupal core is not affected. If you do not use the Plugin Manager module, there is nothing you need to do.


Install Plugin Manager 6.x-1.2.

See also the Plugin Manager project page.

Reported by

Jared Forsyth (jabapyth)