CVE-2021-25087

The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).

Published: Mar 7, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-25087
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
w3eden / download_manager	-	3.2.35

https://wpscan.com/vulnerability/d7ceafae-65ec-4e05-9ed1-59470771bf07

Vulnerability Database

289,697

CVE-2021-25087