CVE-2022-0828

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 06:39

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - Exploit, Third Party Advisory () https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - Exploit, Third Party Advisory

25 Jul 2023, 08:15

Type Values Removed Values Added
Summary The Download Manager WordPress plugin before 3.2.39 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

24 Jul 2023, 13:45

Type Values Removed Values Added
CWE CWE-326 CWE-338

15 Apr 2022, 18:36

Type Values Removed Values Added
References (MISC) https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - (MISC) https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:*

11 Apr 2022, 15:22

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-11 15:15

Updated : 2024-11-21 06:39


NVD link : CVE-2022-0828

Mitre link : CVE-2022-0828

CVE.ORG link : CVE-2022-0828


JSON object : View

Products Affected

wpdownloadmanager

  • wordpress_download_manager
CWE
CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)