Stored Cross-Site Scripting Vulnerability in Download Manager Plugin for WordPress
CVE-2024-10706
Key Information:
- Vendor
- WordPress
- Status
- Download Manager
- Vendor
- CVE Published:
- 20 December 2024
Badges
Summary
CVE-2024-10706 is a high-risk vulnerability found in the Download Manager plugin for WordPress. This flaw arises due to inadequate sanitization and escaping of certain settings within the plugin. As a result, malicious users with elevated privileges, such as administrators, can execute Stored Cross-Site Scripting (XSS) attacks, even in configurations where the 'unfiltered_html' capability is restricted. This vulnerability poses a serious threat, particularly in multisite installations of WordPress, endangering the security of the affected sites.
Affected Version(s)
Download Manager 0 < 3.3.03
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved