The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.
Proof of Concept
- Create two password protected files with different passwords. Note the post ID for each file.
- Navigate to the download page for one of the files. E.g. `<host>/download/password_protected_file_1/`
- Click the "Download" button and enter the password.
- The modal will have a new Download button. Click this one, and intercept the request.
- Change the `wpdmdl` URL parameter to the ID of the other file.
- See that the other file is downloaded without using its password.