Download Manager < 3.1.23 – Unauthorised Asset Manager Usage

Description

The majority of the AJAX actions related to the Asset Manager use the same nonce action (ie the NONCE_KEY constant), and are lacking any authorisation checks. Given that the nonce is available in other pages, accessible by low priviledge users (such as author, or even subscribers depending on the plugin's feature used), this could lead to unauthorised use of the Asset Manager.

Exploitation of the mkDir, newFile, scanDir, createZip, unZip, deleteItem, openFile, fileSettings, saveFile, moveItem, copyItem would be quite difficult to achieve, as their file/path parameters are encrypted using SECURE_AUTH_KEY or NONCE_SALT, nonetheless, they should be properly secured.

However, the addComment, addShareLink, getLinkDet, updateLink, deleteLink and renameItem can be exploited.

Proof of Concept

With the Pro version installed, Login as author, open the All Package page from the plugin (/wp-admin/edit.php?post_type=wpdmpro) and grab the nonce from the __edlnonce input

Then open https://example.com/wp-admin/admin-ajax.php?__wpdm_getlinkdet=<NONCE>&action=wpdm_getlinkdet&linkid=1 and increment the linkid parameter to discover all access_key along with the full URL to access the shared links.

If a link is protected, it can be updated the same way to change its settings and make it accessible to All Visitors (guest):

https://example.com/wp-admin/admin-ajax.php?__wpdm_updatelink=<NONCE>&action=wpdm_updatelink&ID=2&access%5Broles%5D%5B%5D=guest

Links can also be arbitrary deleted: https://example.com/wp-admin/admin-ajax.php?__wpdm_deletelink=<NONCE>&action=wpdm_deletelink&linkid=1

Notes:
If an authenticated user has access to a shared asset URL, the nonce generated by the NONCE_KEY action will be displayed in them (via the __wpdm_addcomment for example); If the Dashboard page from the plugin feature is enabled, then the nonce generated by the NONCE_KEY action will be displayed via the logout parameter, making the issues above exploitable by any authenticated users, such as subscribers. There might be other (and easier to reach) locations where the nonce is displayed as well.

The PoC above are example of what could be done, other attacks are possible (and could be chained depending on the blog to achieve higher goals) but have not been disclosed.