PT-2022-9643 · WordPress · Download Manager

Diogo Real

Published

2022-03-07

Updated

2022-04-12

CVE-2021-25087

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Download Manager WordPress plugin versions prior to 3.2.35

Description The issue concerns a lack of authorization checks in some REST API endpoints, allowing unauthenticated attackers to call them. This could lead to sensitive information disclosure, including posts passwords and files Master Keys.

Recommendations For versions prior to 3.2.24, update to version 3.2.24 or later to fix the posts passwords disclosure issue. For versions prior to 3.2.25, update to version 3.2.25 or later to fix the files Master Keys disclosure issue. For versions prior to 3.2.35, update to version 3.2.35 or later to ensure all related issues are resolved.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2021-25087

Affected Products

Download Manager

PT-2022-9643 · WordPress · Download Manager

CVE-2021-25087

Weakness Enumeration

Related Identifiers

Affected Products

References · 4