CVE-2022-0828

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.

Published: Apr 11, 2022
Updated: Jul 26, 2023
CVE: CVE-2022-0828
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-326
CWE-338

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
w3eden / download_manager	-	3.2.34

https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb

Vulnerability Database

289,697

CVE-2022-0828