Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
download plugin vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2022-2362
The Download Manager WordPress plugin prior to 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based download blocking restrictions.
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2021-24748
The Email Before Download WordPress plugin prior to 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
Mandsconsulting Email Before Download
4.8
CVSSv3
CVE-2021-24773
The WordPress Download Manager WordPress plugin prior to 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
Wpdownloadmanager Wordpress Download Manager
7.2
CVSSv3
CVE-2022-3076
The CM Download Manager WordPress plugin prior to 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.
Cminds Cm Download Manager
7.5
CVSSv3
CVE-2021-25087
The Download Manager WordPress plugin prior to 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated malicious users to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) a...
Wpdownloadmanager Wordpress Download Manager
5.4
CVSSv3
CVE-2022-4476
The Download Manager WordPress plugin prior to 3.2.62 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-...
Wpdownloadmanager Wordpress Download Manager
7.5
CVSSv3
CVE-2022-0828
The Download Manager WordPress plugin prior to 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an malicious user to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or passwor...
Wpdownloadmanager Wordpress Download Manager
8.8
CVSSv3
CVE-2022-2431
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon downl...
Wpdownloadmanager Wordpress Download Manager
5.4
CVSSv3
CVE-2021-24969
The WordPress Download Manager WordPress plugin prior to 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any aut...
Wpdownloadmanager Wordpress Download Manager
6.1
CVSSv3
CVE-2022-1985
The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the 'frameid' parameter found in the ~/src/Package/views/shortcode-if...
Wpdownloadmanager Wordpress Download Manager
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977
IMAP
local users
CVE-2024-32038
CVE-2023-49963
CVE-2023-22869
CVE-2024-31497
local
CVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »