Plattform
wordpress
Komponente
wpdm-elementor
Behoben in
1.3.1
CVE-2026-24956 describes a SQL Injection vulnerability discovered in Download Manager Addons for Elementor, a WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.3.0. A fix is available in version 2.0.0.
The SQL Injection vulnerability in Download Manager Addons for Elementor poses a significant risk to WordPress websites utilizing the plugin. An attacker could exploit this flaw to bypass authentication mechanisms and directly query the database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, email addresses, and potentially even financial information if the plugin interacts with e-commerce functionalities. The blind nature of the injection means the attacker may need to perform numerous queries to extract data, but the potential impact remains severe. Successful exploitation could also allow an attacker to modify or delete data within the database, leading to website defacement or complete data loss. This vulnerability shares characteristics with other SQL injection attacks, where attackers leverage database queries to gain unauthorized access.
CVE-2026-24956 was publicly disclosed on 2026-02-20. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the nature of SQL injection vulnerabilities makes it likely that one will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk to federal information systems.
Websites utilizing Download Manager Addons for Elementor, particularly those with sensitive user data or financial transactions, are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "wpdm_download_id = '" /var/www/html/wp-content/plugins/download-manager-addons-for-elementor/includes/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=wpdm_get_download_link&file_id=1 | grep SQLdisclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24956 is to immediately upgrade Download Manager Addons for Elementor to version 2.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to reduce the attack surface. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Reviewing and hardening database user permissions, limiting access to only necessary data, can also reduce the potential impact of a successful exploit. Monitor WordPress logs for suspicious database queries that might indicate an ongoing attack.
Aktualisieren Sie auf Version 2.0.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24956 is a critical SQL Injection vulnerability affecting Download Manager Addons for Elementor, allowing attackers to potentially extract sensitive data from the database.
You are affected if you are using Download Manager Addons for Elementor versions 0.0.0 through 1.3.0. Upgrade to 2.0.0 or later to resolve the issue.
Upgrade Download Manager Addons for Elementor to version 2.0.0 or later. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the CRITICAL severity warrants immediate attention and remediation.
Refer to the official Download Manager Addons for Elementor website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.