プラットフォーム
wordpress
コンポーネント
download-manager
CVE-2024-11740 describes an arbitrary shortcode execution vulnerability discovered in the Download Manager plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or even complete server compromise. The vulnerability affects versions up to and including 3.3.03. A patch is available from the vendor.
The impact of this vulnerability is significant due to its ease of exploitation and the potential for widespread damage. An attacker can leverage this flaw to inject malicious shortcodes into the WordPress site, which could then be executed by other users or automated processes. This could lead to the execution of arbitrary PHP code, allowing the attacker to gain full control of the website and its underlying server. The attacker could steal sensitive data, modify content, install malware, or redirect users to malicious websites. The blast radius extends to any website using the vulnerable plugin, regardless of its size or purpose.
This vulnerability was publicly disclosed on December 19, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation makes it a likely target for opportunistic attackers. There are currently public proof-of-concept exploits available, increasing the risk of widespread exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the Download Manager plugin for WordPress, particularly those running versions 3.3.03 or earlier, are at risk. Shared hosting environments are particularly vulnerable as they often have limited control over plugin updates. Sites with weak security configurations or those that haven't implemented regular security scanning are also at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/download-manager/• wordpress / composer / npm:
wp plugin list --status=inactive | grep download-manager• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/download-manager/ | grep 'X-Powered-By'disclosure
エクスプロイト状況
EPSS
10.62% (93% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-11740 is to upgrade the Download Manager plugin to a version that addresses the vulnerability. The vendor has released a patch, and users should apply it as soon as possible. If immediate upgrading is not feasible, consider temporarily disabling the Download Manager plugin to prevent exploitation. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can provide an additional layer of protection. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Actualice el plugin Download Manager a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios, por lo que actualizar a una versión posterior a la 3.3.03 solucionará el problema.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-11740 is a vulnerability in the Download Manager WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation, leading to potential website compromise.
You are affected if you are using the Download Manager plugin for WordPress in versions 3.3.03 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Download Manager plugin to the latest version, which contains a patch for this vulnerability. If immediate upgrading is not possible, disable the plugin temporarily.
While no confirmed active exploitation campaigns are currently known, the availability of public proof-of-concept exploits suggests a high likelihood of exploitation.
Refer to the Download Manager plugin's official website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。