Code Injection Vulnerability in CM Downloads Manager Plugin for WordPress
CVE-2014-8877

Currently unrated

Key Information:

Vendor: Wordpress
Status: Cm Download Manager
Vendor: CVE Published:; 5 December 2014

Summary

The CM Downloads Manager plugin for WordPress has a vulnerability in the alterSearchQuery function located in lib/controllers/CmdownloadController.php. This flaw allows remote attackers to execute arbitrary PHP code by exploiting the CMDsearch parameter in cmdownloads/. The vulnerability arises from the use of the PHP create_function function, which permits unauthorized code execution, posing a significant risk to affected installations.

References

https://downloadsmanager.cminds.com/release-notes/

x_refsource_CONFIRM

http://packetstormsecurity.com/files/129183/WordPress-CM-...

x_refsource_MISC

http://www.securityfocus.com/bid/71204

vdb-entryx_refsource_BID

EPSS Score

30% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 5, 2014
Vulnerability Reserved
Nov 14, 2014