CVE-2023-1524

CWE-284 — Improper Access Control CWE-7724 documents4 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 52.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Download Manager W3eden Download Manager

Timeline

PublishedMay 30

Latest updateSep 16

Description

The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDw3eden/download_manager< 3.2.71

▶CVEListV5unknown/download_manager< 3.2.71

🔴Vulnerability Details

CVEList

Download Manager < 3.2.71 - Broken Access Controls↗2023-05-30

▶

GHSA

GHSA-mxx9-mm8m-9wm6: The Download Manager WordPress plugin before 3↗2023-05-30

▶

📋Vendor Advisories

Red Hat

kernel: Kernel: Denial of Service via ubifs memory leak↗2025-09-16

▶