WordPress Plugin Vulnerabilities
Wordpress Download Manager < 3.2.35 - Sensitive Information Disclosure
Description
The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
Proof of Concept
Expose plaintext passwords (fixed in 3.2.24): - Add a new file and password protect the post from the "publish" box. - Got to https://example.com/wp-json/wpdm/search and notice that the password is exposed in plaintext to unauthenticated users. Bypass authentication to download files (fixed in 3.2.25): - Obtain a download key (_wpdmkey ) with curl --data "" https://example.com/wp-json/wpdm/validate-password - Use it to download arbitrary files by tampering with the wpdmdl parameter, ie: https://example.com/wp-json/wpdm/validate-password?wpdmdl=42&_wpdmkey=XXX
Affects Plugins
References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Diogo Real
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-02 (about 2 years ago)
Added
2022-02-02 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)