CVE-2023-6421: 
WordPress vulnerability analysis and mitigation

The Download Manager WordPress plugin versions before 3.2.83 contains a security vulnerability identified as CVE-2023-6421. The vulnerability allows unauthorized access to password-protected file download passwords, which are leaked when an invalid password is submitted. This vulnerability was discovered by Liu Shaohong and was publicly disclosed on November 29, 2023 (WPScan).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) and falls under the OWASP Top 10 category A5: Broken Access Control. It has been assigned a CVSS score of 5.3 (medium severity). The vulnerability occurs when the plugin improperly handles password validation for protected file downloads, exposing the actual password in the response when an invalid password is submitted (WPScan).

When exploited, this vulnerability allows unauthenticated attackers to obtain passwords for protected file downloads. This compromises the security of password-protected content within WordPress installations using the affected Download Manager plugin versions (WPScan).

The vulnerability has been patched in Download Manager version 3.2.83. Users are advised to update their installations to this version or later to protect against this security issue (WPScan).