WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Manager < 3.2.71 - Broken Access Controls

Description

The plugin does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.

Proof of Concept

- Create two password protected files with different passwords. Note the post ID for each file.
- Navigate to the download page for one of the files. E.g. `<host>/download/password_protected_file_1/`
- Click the "Download" button and enter the password.
- The modal will have a new Download button. Click this one, and intercept the request.
- Change the `wpdmdl` URL parameter to the ID of the other file.
- See that the other file is downloaded without using its password.

Affects Plugins

download-manager
Fixed in version 3.2.71

References

CVE
CVE-2023-1524

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Johan Kragt

Submitter

Johan Kragt

Verified

Yes

WPVDB ID
3802d15d-9bfd-4762-ab8a-04475451868e

Timeline

Publicly Published

2023-05-08 (about 4 months ago)

Added

2023-05-08 (about 4 months ago)

Last Updated

2023-05-08 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin