CVE-2023-6785 — Improper Access Control in Download Manager

CWE-284 — Improper Access Control CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 39.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

W3eden Download Manager Codename065 Download Manager

Timeline

PublishedMar 13

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDw3eden/download_manager< 3.2.85

▶CVEListV5codename065/download_manager3.2.84

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-cfwg-f58j-689r: The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and includi↗2024-03-13

▶

CVEList

Download Manager <= 3.2.84 - Missing Authorization↗2024-03-13

▶