WordPress Download Manager Plugin Missing Capability Check Vulnerability Allows Unauthorized Media Access Control Modification

A vulnerability exists in the Download Manager plugin for WordPress, specifically in versions prior to and including 3.3.51. The issue arises from a lack of proper capability checks in the 'makeMediaPublic()' and 'makeMediaPrivate()' functions. These functions only verify the 'edit_posts' capability without checking post ownership, allowing authenticated attackers with Contributor-level access or higher to remove protection metadata from media files they do not own. This oversight can make admin-protected files publicly accessible via direct URLs.

Impact

Exploitation of this vulnerability allows for unauthorized removal of protection from media files, potentially exposing sensitive content that was meant to be restricted.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can use the 'makeMediaPublic()' function to remove protection from a media file they do not own. This can be done by sending a request that includes the media ID and the appropriate nonce for authentication. The absence of a post ownership check enables this unauthorized modification.

Remediation

Users can update to Download Manager version 3.3.52 or later, where this vulnerability has been fixed.