CVE-2022-0828 – This vulnerability in the Download Manager Word... (How to Fix)

Q: What is the severity of CVE-2022-0828?

CVE-2022-0828 has a CVSS score of 7.5 (HIGH). This vulnerability in the Download Manager WordPress plugin allows attackers to brute-force download access keys, bypassing role-based restrictions and password protections. Any WordPress site using affected versions of this plugin is vulnerable, potentially exposing sensitive files to unauthorized users.

📋 TL;DR

This vulnerability in the Download Manager WordPress plugin allows attackers to brute-force download access keys, bypassing role-based restrictions and password protections. Any WordPress site using affected versions of this plugin is vulnerable, potentially exposing sensitive files to unauthorized users.

💻 Affected Systems

Products:

WordPress Download Manager plugin

Versions: All versions before 3.2.34

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites using the Download Manager plugin with protected downloads. Standard WordPress installations without this plugin are not affected.

📦 What is this software?

Download Manager by W3eden

View all CVEs affecting Download Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to all protected downloads including sensitive files, intellectual property, or confidential documents regardless of access controls.

🟠

Likely Case

Exposure of some protected downloads to attackers who invest minimal resources in brute-forcing keys.

🟢

If Mitigated

No impact if plugin is patched or disabled, or if downloads are stored outside the web-accessible directory.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication to exploit.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be exploited by internal threat actors or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit using automated tools to brute-force the predictable uniqid() generated keys.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.34 and later

Vendor Advisory: https://wordpress.org/plugins/download-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Download Manager' and click 'Update Now'. 4. Verify version is 3.2.34 or higher.

🔧 Temporary Workarounds

Disable Download Manager plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate download-manager

Move protected downloads outside web root

all

Store sensitive downloads outside the publicly accessible directory and serve via secure methods

🧯 If You Can't Patch

Implement web application firewall rules to block download key brute-force attempts
Monitor access logs for unusual download patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Download Manager version. If version is below 3.2.34, the site is vulnerable.

Check Version:

wp plugin get download-manager --field=version

Verify Fix Applied:

Confirm Download Manager plugin version is 3.2.34 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple failed download attempts with sequential or predictable key patterns
Successful downloads from unusual IP addresses or user agents

Network Indicators:

High volume of requests to download endpoints with varying key parameters
Patterns of sequential key guessing in download URLs

SIEM Query:

source="web_logs" AND (url="*wpdmact=*" OR url="*download-manager*download*" OR url="*wpdmact=*download*") AND (status=200 OR status=403) | stats count by src_ip, url

📊 Metadata

CVE ID: CVE-2022-0828

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-338

Published: April 11, 2022

Last Updated: March 21, 2025

🔗 References

https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7f0742ad-6fd7-4258-9e44-d42e138789bb Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0828, you might also want to check these: