CVE-2021-25087: Wordpress Download Manager < 3.2.25 - Sensitive Information Disclosure
First published: Mon Mar 07 2022(Updated: )
The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress Download Manager | <3.2.35 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-25087?
CVE-2021-25087 is considered a medium severity vulnerability affecting the Download Manager WordPress plugin.
How do I fix CVE-2021-25087?
To fix CVE-2021-25087, update the Download Manager WordPress plugin to version 3.2.35 or later.
What kind of impact does CVE-2021-25087 have?
CVE-2021-25087 can lead to sensitive information disclosure, including post passwords and files.
Which versions of the WordPress Download Manager are affected by CVE-2021-25087?
CVE-2021-25087 affects all versions of the WordPress Download Manager plugin before 3.2.35.
Are authentication checks present in CVE-2021-25087?
No, CVE-2021-25087 lacks proper authentication checks in some REST API endpoints.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/title
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wpdownloadmanager
- canonical/wordpress download manager