Platform
wordpress
Component
wpdm-elementor
Fixed in
1.3.1
CVE-2026-24956 describes a SQL Injection vulnerability discovered in Download Manager Addons for Elementor, a WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.3.0. A fix is available in version 2.0.0.
The SQL Injection vulnerability in Download Manager Addons for Elementor allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive direct output from the queries, but can infer information through timing attacks or other techniques. Successful exploitation could result in the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially even file download history. Depending on the database schema, an attacker might also be able to modify or delete data, leading to data corruption or denial of service. The impact is particularly severe if the database contains sensitive information related to user accounts or financial transactions.
CVE-2026-24956 was publicly disclosed on 2026-02-20. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high potential for exploitation if a suitable exploit is developed and made public.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24956 is to immediately upgrade Download Manager Addons for Elementor to version 2.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of protection. Specifically, look for rules targeting SQL injection patterns in the plugin's input parameters. Regularly review and audit database access logs for suspicious activity, paying close attention to queries originating from the plugin. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Update to version 2.0.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24956 is a critical SQL Injection vulnerability affecting Download Manager Addons for Elementor, allowing attackers to potentially extract sensitive data from the database.
You are affected if you are using Download Manager Addons for Elementor versions 0.0.0 through 1.3.0. Upgrade to 2.0.0 or later to resolve the issue.
Upgrade Download Manager Addons for Elementor to version 2.0.0 or later. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the CRITICAL severity warrants immediate attention and remediation.
Refer to the official Download Manager Addons for Elementor website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.