WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure

Description

The plugin does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).

Proof of Concept

Expose plaintext passwords (fixed in 3.2.24):

- Add a new file and password protect the post from the "publish" box.
- Got to https://example.com/wp-json/wpdm/search and notice that the password is exposed in plaintext to unauthenticated users.

Bypass authentication to download files (fixed in 3.2.25):
- Obtain a download key (_wpdmkey ) with curl --data "" https://example.com/wp-json/wpdm/validate-password
- Use it to download arbitrary files by tampering with the wpdmdl parameter, ie: https://example.com/wp-json/wpdm/validate-password?wpdmdl=42&_wpdmkey=XXX

Affects Plugins

download-manager
Fixed in version 3.2.16

References

CVE
CVE-2021-25087

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Diogo Real

Submitter twitter
c0rtePentest
Verified

Yes

WPVDB ID
d7ceafae-65ec-4e05-9ed1-59470771bf07

Timeline

Publicly Published

2022-02-02 (about 12 months ago)

Added

2022-02-02 (about 12 months ago)

Last Updated

2022-04-09 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin