CVE-2023-6421 Scanner

WordPress Download Manager is a widely used plugin that helps site administrators manage downloadable files and documents in WordPress-based websites. It is often utilized by businesses, educators, and content creators to share digital content securely with users. The plugin provides functionalities like file access control, password protection, and download tracking. It integrates seamlessly into the WordPress ecosystem and supports role-based file access. The plugin is popular for its ease of use and its ability to handle large file repositories. Users install this plugin to simplify digital file distribution while enforcing access restrictions.

The vulnerability in WordPress Download Manager allows unauthorized access to sensitive password data meant to protect downloadable files. This issue is due to a flaw in the validate-password API endpoint which responds inappropriately to crafted requests. Attackers can exploit this by submitting crafted POST requests to reveal the password or verify guesses. The response reveals detailed information about password validity, aiding brute-force or guessing attacks. While authentication is not required, the attacker must know the protected file’s ID. This vulnerability poses a privacy and access control risk for WordPress site administrators.

Technically, the vulnerability exists in the API endpoint located at /index.php?rest_route=/wpdm/validate-password. A POST request with parameters such as `__wpdm_ID`, `dataType`, `execute`, `action`, and a password value leads to responses indicating whether the password is valid or not. Even incorrect password submissions produce detailed feedback in the JSON response body. The parameter `__wpdm_ID` needs to be a valid ID of a password-protected file. This makes it possible for attackers to brute-force or guess passwords by repeatedly querying the endpoint. The HTTP header response includes JSON content type and a 200 OK status, making it easy to parse results programmatically. The vulnerability allows information exposure without needing to log in.

If exploited, attackers can gain access to password-protected downloads by discovering or confirming the correct passwords. This undermines the purpose of password protection and potentially exposes sensitive or proprietary files. Unauthorized access can lead to data leakage, intellectual property theft, or distribution of private documents. It may also result in compliance violations where access controls are legally mandated. Moreover, if the files contain executables or scripts, it could escalate to further compromise depending on file content. Ultimately, it risks the integrity and confidentiality of file distribution in affected WordPress installations.

REFERENCES

• https://wpscan.com/vulnerability/244c7c00-fc8d-4a73-bbe0-7865c621d410/