WordPress Download Manager Plugin Exposed Passwords, Still Is Storing Plaintext Passwords
Developers of WordPress plugins are not always open about fixing security issues in their plugins. That seems to be the case with the latest release of the 100,000+ install Download Manager plugin. The changelog for that hints that there might have been a security issue fixed, as it reads “fixed an issue with the password validation for password-protected files.” As at least one of our customers is using the plugin, we checked over that to see if there was something we should be warning about and, if so, to make sure it was fixed. We found that a security issue was addressed, though, there is another underlying issue that still hasn’t been addressed.
In the plugin’s file /src/Package/PackageLocks.php, a single line of code was removed in the new version:
84 | $data['op'] = $passwords; |
That doesn’t tell you much on its own, but the surrounding code suggested that it would return the password for a download in the response if you entered the wrong password, when an AJAX request is made. We confirmed that was indeed the case. So previously password protected downloads had their passwords disclosed to anyone trying the wrong password. It seems unlikely the developer didn’t realize that they were addressing that, yet the changelog doesn’t warn about that.
What would be obvious to anyone familiar with proper storage of passwords is that shouldn’t be possible. The plaintext of passwords shouldn’t be stored. Instead, a hash, which can be thought of as one-way encryption, of the password should be stored. So the plaintext of the password wouldn’t be possiblet to be shown, but that is what happened here. We confirmed that the plaintext of passwords for downloads is stored as postmeta entries.
Maybe the developer is intentionally storing passwords that way, but we have made an attempt to reach out to them to suggest that isn’t a good idea (we couldn’t find a dedicated security contact for the developer).