[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhMTK5knP05wYyUV_a3ORprQRWd-g6t1fXoBOXn17Rw4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"source_links":40},"CVE-2026-4057","download-manager-missing-authorization-to-authenticated-contributor-media-file-protection-removal","Download Manager \u003C= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal","The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.","download-manager",null,"\u003C=3.3.51","3.3.52","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-09 12:00:41","2026-04-10 01:24:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6b02846-61be-4571-921d-53df5493f856?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fadmin-styles.css","assets\u002Fcss\u002Fadmin-styles.min.css","assets\u002Fmodal\u002Fwpdm-modal.css","assets\u002Fmodal\u002Fwpdm-modal.js","assets\u002Fmodal\u002Fwpdm-modal.min.css","assets\u002Fmodal\u002Fwpdm-modal.min.js","download-manager.php","readme.txt","researched",false,3,"This research plan outlines the technical steps required to exploit **CVE-2026-4057** in WordPress Download Manager \u003C= 3.3.51.\n\n## 1. Vulnerability Summary\nThe vulnerability is a **Missing Authorization** flaw within the media protection features of the Download Manager plugin. Specifically, the functions `makeMediaPublic()` and `makeMediaPrivate()` (likely located within `WPDM\\MediaLibrary\\MediaHandler`) verify if a user has the `edit_posts` capability (possessed by Contributors and above) but fail to verify if the user has permission to edit the *specific* post\u002Fattachment ID provided (`edit_post`).\n\nBecause these functions execute their metadata-stripping logic before broader access control checks, a Contributor can remove protection settings (passwords, role restrictions) from media files owned by Administrators, rendering them accessible via direct URL.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Actions:** `wpdm_make_media_public` and `wpdm_make_media_private` (inferred from function names and WPDM naming conventions).\n- **Required Parameter:** `id` (The WordPress Attachment\u002FPost ID of the media file).\n- **Authentication:** Authenticated, minimum level **Contributor**.\n- **Preconditions:** A media file must be uploaded by an Admin and protected using WPDM's Media Library protection features.\n\n## 3. Code Flow (Trace)\n1. **Entry Point:** An authenticated user (Contributor+) sends a POST request to `admin-ajax.php` with the action `wpdm_make_media_public`.\n2. **Hook Registration:** The plugin registers the action (likely in `src\u002FMediaLibrary\u002FMediaHandler.php` or `src\u002Fwpdm-core.php`):\n   `add_action('wp_ajax_wpdm_make_media_public', array($this, 'makeMediaPublic'));`\n3. **Capability Check:** Inside `makeMediaPublic()`, the code checks `current_user_can('edit_posts')`. This returns `true` for Contributors.\n4. **Missing Ownership Check:** The code retrieves the `$id` from `$_REQUEST['id']`. It fails to perform `current_user_can('edit_post', $id)`.\n5. **Metadata Deletion:** The function proceeds to call `delete_post_meta($id, ...)` for keys such as `__wpdm_lock`, `__wpdm_password`, and `__wpdm_access`.\n6. **Result:** The attachment is no longer \"locked\" by WPDM, and its direct file path\u002FURL becomes unprotected.\n\n## 4. Nonce Acquisition Strategy\nWPDM usually localizes nonces into the `wpdm_js` or `wpdm_admin` object for use in the media library interface.\n\n1.  **Identify the Script:** WPDM enqueues scripts for the media library.\n2.  **Create Test Page:** To ensure the script is enqueued for a Contributor, create a post with a WPDM-related shortcode or navigate to a WPDM admin page.\n3.  **Search for Nonce:**\n    - Use `grep -r \"wp_create_nonce\" src\u002F` to find the action string used for media protection.\n    - Common WPDM nonce action: `__wpdm_media_auth` (inferred).\n4.  **Extract via Browser:**\n    ```javascript\n    \u002F\u002F In the browser console of the Contributor user\n    console.log(window.wpdm_js?.nonce || window.wpdm_admin?.nonce);\n    ```\n    *Note:* If the nonce is strictly required, the agent should search `src\u002FMediaLibrary\u002FMediaHandler.php` for `check_ajax_referer` to identify the expected parameter name (usually `__wpdm_media_auth` or similar).\n\n## 5. Exploitation Strategy\n### Step 1: Target Identification\nFind the ID of a protected media file uploaded by the Administrator. If not known, create one in the setup phase.\n\n### Step 2: Request Construction\nSend a request to make the media public as the Contributor.\n\n**HTTP Request:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```\n  action=wpdm_make_media_public&id=[TARGET_MEDIA_ID]&__wpdm_media_auth=[NONCE]\n  ```\n  *(Note: Replace `__wpdm_media_auth` with the actual nonce key found during research).*\n\n### Step 3: Verify Metadata Stripping\nCheck if the specific WPDM protection meta keys are removed from the database for that ID.\n\n## 6. Test Data Setup\n1.  **Admin User:** Create a media file (Attachment).\n2.  **Protect Media:** Use WPDM to protect the media.\n    - Set a password: `update_post_meta($media_id, '__wpdm_password', 'secret123');`\n    - Set lock: `update_post_meta($media_id, '__wpdm_lock', '1');`\n3.  **Contributor User:** Create a user with the `contributor` role.\n4.  **Nonce Page:** Create a page using `wp post create` that includes a `[wpdm_direct_link id=...]` shortcode to force script enqueuing if necessary.\n\n## 7. Expected Results\n- **Response:** The server should return a success message (likely JSON `{\"success\": true}` or a string \"1\").\n- **Database Change:** The post meta entries for `__wpdm_lock`, `__wpdm_password`, etc., for the target ID should be deleted.\n- **Access Change:** A direct request to the media file or the WPDM download URL that previously required a password should now serve the file immediately without a prompt.\n\n## 8. Verification Steps\nAfter running the exploit via `http_request`, verify the state using `wp-cli`:\n\n```bash\n# Check if protection metadata still exists\nwp post meta get [TARGET_MEDIA_ID] __wpdm_lock\nwp post meta get [TARGET_MEDIA_ID] __wpdm_password\n\n# Expected: \"Error: Could not find the metadata for key...\"\n```\n\n## 9. Alternative Approaches\nIf `wpdm_make_media_public` is not the correct action name:\n1.  Search `src\u002FMediaLibrary\u002FMediaHandler.php` for `add_action` calls.\n2.  If `edit_posts` isn't sufficient, try the exploit with an **Author** account.\n3.  If a nonce is not found in the global JS object, check if the function `makeMediaPublic` calls `check_ajax_referer`. If it doesn't, the exploit can be performed without a nonce.\n4.  Try the `wpdm_make_media_private` action to see if it allows modifying settings on files the user doesn't own (same vulnerability, different direction).","The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check in its media protection removal logic. This allows authenticated users with Contributor-level privileges and above to strip passwords, locks, and access restrictions from media files they do not own, making admin-protected files publicly accessible via direct URLs.","--- src\u002FMediaLibrary\u002FMediaHandler.php\n+++ src\u002FMediaLibrary\u002FMediaHandler.php\n@@ -134,7 +134,8 @@\n     function makeMediaPublic()\n     {\n-        if (!current_user_can('edit_posts')) {\n+        $id = (int)$_REQUEST['id'];\n+        if (!current_user_can('edit_post', $id)) {\n             die('Unauthorized');\n         }\n-        $id = (int)$_REQUEST['id'];\n         delete_post_meta($id, \"__wpdm_lock\");\n         delete_post_meta($id, \"__wpdm_password\");\n         delete_post_meta($id, \"__wpdm_access\");\n@@ -148,7 +149,8 @@\n     function makeMediaPrivate()\n     {\n-        if (!current_user_can('edit_posts')) {\n+        $id = (int)$_REQUEST['id'];\n+        if (!current_user_can('edit_post', $id)) {\n             die('Unauthorized');\n         }\n-        $id = (int)$_REQUEST['id'];\n         update_post_meta($id, \"__wpdm_lock\", 1);","The exploit targets the `wpdm_make_media_public` or `wpdm_make_media_private` AJAX actions. An attacker must be authenticated as a Contributor or higher. The attacker first identifies the WordPress Attachment ID of a protected media file owned by an administrator. They then obtain a valid AJAX nonce (commonly localized as `wpdm_js.nonce` or used in the media library interface). By sending a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the target `id` and the `action` parameter set to `wpdm_make_media_public`, the attacker triggers the deletion of protection metadata (`__wpdm_lock`, `__wpdm_password`, `__wpdm_access`) for the target ID. Because the plugin only verifies the general `edit_posts` capability and fails to verify specific ownership for the provided ID, the operation completes successfully, rendering the file publicly accessible.","gemini-3-flash-preview","2026-04-16 16:20:40","2026-04-16 16:21:03",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","3.3.51","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.51","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.51.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.52","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.52.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags"]