Platform
wordpress
Component
download-manager
CVE-2024-11740 describes an arbitrary shortcode execution vulnerability discovered in the Download Manager plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or even complete server compromise. The vulnerability affects versions up to and including 3.3.03. A patch is available from the vendor.
The impact of this vulnerability is significant due to its ease of exploitation and the potential for widespread damage. An attacker can leverage this flaw to inject malicious shortcodes into the WordPress site, which could then be executed by other users or automated processes. This could lead to the execution of arbitrary PHP code, allowing the attacker to gain full control of the website and its underlying server. The attacker could steal sensitive data, modify content, install malware, or redirect users to malicious websites. The blast radius extends to any website using the vulnerable plugin, regardless of its size or purpose.
This vulnerability was publicly disclosed on December 19, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation makes it a likely target for opportunistic attackers. There are currently public proof-of-concept exploits available, increasing the risk of widespread exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the Download Manager plugin for WordPress, particularly those running versions 3.3.03 or earlier, are at risk. Shared hosting environments are particularly vulnerable as they often have limited control over plugin updates. Sites with weak security configurations or those that haven't implemented regular security scanning are also at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/download-manager/• wordpress / composer / npm:
wp plugin list --status=inactive | grep download-manager• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/download-manager/ | grep 'X-Powered-By'disclosure
Exploit Status
EPSS
10.62% (93% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-11740 is to upgrade the Download Manager plugin to a version that addresses the vulnerability. The vendor has released a patch, and users should apply it as soon as possible. If immediate upgrading is not feasible, consider temporarily disabling the Download Manager plugin to prevent exploitation. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can provide an additional layer of protection. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Actualice el plugin Download Manager a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios, por lo que actualizar a una versión posterior a la 3.3.03 solucionará el problema.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-11740 is a vulnerability in the Download Manager WordPress plugin that allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient input validation, leading to potential website compromise.
You are affected if you are using the Download Manager plugin for WordPress in versions 3.3.03 or earlier. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Download Manager plugin to the latest version, which contains a patch for this vulnerability. If immediate upgrading is not possible, disable the plugin temporarily.
While no confirmed active exploitation campaigns are currently known, the availability of public proof-of-concept exploits suggests a high likelihood of exploitation.
Refer to the Download Manager plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.