Arbitrary Shortcode Execution in WordPress Download Manager Plugin
CVE-2024-11740

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Download Manager
Vendor: CVE Published:; 19 December 2024

Summary

CVE-2024-11740 describes a vulnerability within the Download Manager plugin for WordPress, where improper validation of values allows unauthenticated attackers to execute arbitrary shortcodes. This security flaw affects all versions of the plugin up to and including 3.3.03. Due to the lack of validation, an attacker can exploit this vulnerability to run malicious code, compromising the integrity of the affected WordPress site. Users are strongly advised to update to the latest version to mitigate this risk.

Affected Version(s)

Download Manager * <= 3.3.03

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/download-manag...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 19, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

Michael Mazzolini