CVE-2021-25087

CWE-862 — Missing Authorization CWE-284 — Improper Access Control3 documents3 sources

Severity

7.5HIGH

EPSS

1.6%

top 18.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Download Manager W3eden Download Manager

Timeline

PublishedMar 7

Latest updateMar 8

Description

The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDw3eden/download_manager< 3.2.35

▶CVEListV5unknown/download_manager3.2.35 — 3.2.35

🔴Vulnerability Details

GHSA

GHSA-hc7r-q2m2-f836: The Download Manager WordPress plugin before 3↗2022-03-08

▶

CVEList

Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure↗2022-03-07

▶