Download Manager < 3.2.71 – Broken Access Controls | CVE 2023-1524 | Plugin Vulnerabilities

Description

The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.

Proof of Concept

- Create two password protected files with different passwords. Note the post ID for each file.
- Navigate to the download page for one of the files. E.g. `<host>/download/password_protected_file_1/`
- Click the "Download" button and enter the password.
- The modal will have a new Download button. Click this one, and intercept the request.
- Change the `wpdmdl` URL parameter to the ID of the other file.
- See that the other file is downloaded without using its password.

Affects Plugins

download-manager

Fixed in 3.2.71

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Johan Kragt

Submitter

Johan Kragt

Verified

Yes

WPVDB ID

3802d15d-9bfd-4762-ab8a-04475451868e

Timeline

Publicly Published

2023-05-08 (about 2 years ago)

Added

2023-05-08 (about 2 years ago)

Last Updated

2023-05-08 (about 2 years ago)

Other

Published

Title

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Missing Authorization via save_view

Published

2025-02-12

Title

Rank Math SEO < 1.0.236 - Contributor+ Arbitrary Schema Deletion

Published

2023-10-09

Title

Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update

Published

2025-09-29

Title

SmartCrawl SEO checker, analyzer & optimizer < 3.14.4 - Missing Authorization to Plugin Settings Update

Published

2021-11-01

Title

Contest Gallery < 13.1.0.6 - Missing Access Controls to Unauthenticated SQL injection / Email Address Disclosure