The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:39
Type | Values Removed | Values Added |
---|---|---|
References | () https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - Exploit, Third Party Advisory |
25 Jul 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
Summary | The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. |
24 Jul 2023, 13:45
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-338 |
15 Apr 2022, 18:36
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
CPE | cpe:2.3:a:wpdownloadmanager:wordpress_download_manager:*:*:*:*:*:wordpress:*:* |
11 Apr 2022, 15:22
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-11 15:15
Updated : 2024-11-21 06:39
NVD link : CVE-2022-0828
Mitre link : CVE-2022-0828
CVE.ORG link : CVE-2022-0828
JSON object : View
Products Affected
wpdownloadmanager
- wordpress_download_manager
CWE
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)