WordPress Plugin Vulnerabilities
Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure
Description
The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
Proof of Concept
Expose plaintext passwords (fixed in 3.2.24): - Add a new file and password protect the post from the "publish" box. - Got to https://example.com/wp-json/wpdm/search and notice that the password is exposed in plaintext to unauthenticated users. Bypass authentication to download files (fixed in 3.2.25): - Obtain a download key (_wpdmkey ) with curl --data "" https://example.com/wp-json/wpdm/validate-password - Use it to download arbitrary files by tampering with the wpdmdl parameter, ie: https://example.com/wp-json/wpdm/validate-password?wpdmdl=42&_wpdmkey=XXX
Affects Plugins
Fixed in version 3.2.16
References
Classification
Miscellaneous
Original Researcher
Diogo Real
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-02-02 (about 5 months ago)
Added
2022-02-02 (about 5 months ago)
Last Updated
2022-04-09 (about 2 months ago)