CVE-2021-25087
📋 TL;DR
The Download Manager WordPress plugin before version 3.2.35 has REST API endpoints without proper authorization checks, allowing unauthenticated attackers to access sensitive information. This affects WordPress sites using vulnerable versions of the plugin, potentially exposing post passwords and file master keys.
💻 Affected Systems
- WordPress Download Manager plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal sensitive data including post passwords and file master keys, leading to unauthorized access to protected content and potential further compromise of the WordPress site.
Likely Case
Unauthenticated attackers accessing sensitive information like post passwords and file master keys, potentially enabling unauthorized downloads or content access.
If Mitigated
With proper authorization controls, only authenticated users with appropriate permissions can access the REST API endpoints, preventing information disclosure.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and involves simple API calls to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.35
Vendor Advisory: https://wpscan.com/vulnerability/d7ceafae-65ec-4e05-9ed1-59470771bf07
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Download Manager' plugin. 4. Click 'Update Now' if available, or download version 3.2.35+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable REST endpoints
allTemporarily disable the vulnerable REST API endpoints until patching is possible
Add to WordPress theme functions.php or custom plugin: add_filter('rest_authentication_errors', 'disable_vulnerable_endpoints'); function disable_vulnerable_endpoints($result) { if (strpos($_SERVER['REQUEST_URI'], '/wp-json/wpdm/') !== false) { return new WP_Error('rest_forbidden', 'Unauthorized', array('status' => 403)); } return $result; }
Disable plugin
linuxTemporarily deactivate the Download Manager plugin
wp plugin deactivate download-manager
🧯 If You Can't Patch
- Implement web application firewall rules to block unauthenticated requests to /wp-json/wpdm/* endpoints
- Restrict access to WordPress REST API endpoints using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Download Manager version. If version is below 3.2.35, the site is vulnerable.Check Version:
wp plugin list --name=download-manager --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 3.2.35 or higher in WordPress admin panel. Test that unauthenticated requests to /wp-json/wpdm/ endpoints return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses to /wp-json/wpdm/* endpoints from unauthenticated users
- Unusual access patterns to REST API endpoints
Network Indicators:
- Unauthenticated HTTP requests to /wp-json/wpdm/* endpoints
- Increased traffic to WordPress REST API from suspicious IPs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/wpdm/*" AND response_code=200 AND user="-")