cve/2023/CVE-2023-1524.md

### [CVE-2023-1524](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1524)
![](https://img.shields.io/static/v1?label=Product&message=Download%20Manager&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%3C%203.2.71%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-284%20Improper%20Access%20Control&color=brighgreen)

### Description

The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.

### POC

#### Reference
- https://wpscan.com/vulnerability/3802d15d-9bfd-4762-ab8a-04475451868e

#### Github
No PoCs found on GitHub currently.