Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wpdownloadmanager wordpress download manager vulnerabilities and exploits
(subscribe to this query)
8.8
CVSSv3
CVE-2022-2431
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon downl...
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2022-2436
The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call ...
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2022-36288
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2022-34347
Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2021-25069
The Download Manager WordPress plugin prior to 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
Wpdownloadmanager Download Manager
8.8
CVSSv3
CVE-2021-34639
Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3...
Wpdownloadmanager Wordpress Download Manager
7.5
CVSSv3
CVE-2023-6421
The Download Manager WordPress plugin prior to 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
Wpdownloadmanager Wordpress Download Manager
7.5
CVSSv3
CVE-2023-1809
The Download Manager WordPress plugin prior to 6.3.0 leaks master key information without the need for a password, allowing malicious users to download arbitrary password-protected package files.
Wpdownloadmanager Download Manager
7.5
CVSSv3
CVE-2022-2362
The Download Manager WordPress plugin prior to 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based download blocking restrictions.
Wpdownloadmanager Wordpress Download Manager
7.5
CVSSv3
CVE-2022-0828
The Download Manager WordPress plugin prior to 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an malicious user to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or passwor...
Wpdownloadmanager Wordpress Download Manager
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
type confusion
IMAP
CVE-2024-36103
CVE-2024-28995
CVE-2024-37325
CVE-2024-30078
CVE-2024-30082
SQL injection
CVE-2024-30052
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »