CVE-2023-6421

HIGH NUCLEI

WordPress Download Mgr <3.2.83 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-6421. PoCs published by RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary The PoC exploits an unauthenticated password leak vulnerability in Download Manager < 3.2.83 by brute-forcing IDs and extracting download URLs with embedded keys. It sends POST requests to the `/wp-json/wpdm/validate-password` endpoint and checks for valid responses.

Description

The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.

Exploits (1)

nomisec WORKING POC 1 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2023-6421

The PoC exploits an unauthenticated password leak vulnerability in Download Manager < 3.2.83 by brute-forcing IDs and extracting download URLs with embedded keys. It sends POST requests to the `/wp-json/wpdm/validate-password` endpoint and checks for valid responses.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Download Manager < 3.2.83
No auth needed
Prerequisites: Target must have the vulnerable Download Manager plugin installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Download Manager - File Password Exposure
MEDIUMVERIFIEDby ritikchaddha
Shodan: html:"wp-content/plugins/download-manager/"
FOFA: body="wp-content/plugins/download-manager/"

References (1)

Core 1
Core References
Broken Link, Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/244c7c00-fc8d-4a73-bbe0-7865c621d410

Scores

CVSS v3 7.5
EPSS 0.0244
EPSS Percentile 82.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-522
Status published
Products (1)
w3eden/download_manager < 3.2.83
Published Jan 01, 2024
Tracked Since Feb 18, 2026