cbcvebase.
CVE-2014-8877
published 2014-12-05

CVE-2014-8877: The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.80%
96.3th percentile
The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.

Affected

4 ranges
VendorProductVersion rangeFixed in
creative_mindscm_download_manager<= 2.0.3
creative_mindscm_download_manager
creative_mindscm_download_manager
creative_mindscm_download_manager

Detection & IOCsextracted from sources · hover to see the quote

url/cmdownloads/?CMDsearch=".phpinfo()."
path/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
otherCMDsearch
  • Monitor GET requests to the cmdownloads/ endpoint for the CMDsearch parameter containing PHP function call patterns (e.g., quote-dot-function-dot-quote sequences such as ".phpinfo().") indicative of create_function injection.
  • Alert on unauthenticated (anonymous) GET requests targeting /cmdownloads/ with a CMDsearch parameter, as exploitation requires no authentication.
  • Use the Google dork 'inurl:cmdownloads' to identify exposed WordPress instances running the vulnerable CM Download Manager plugin.
  • Inspect the vulnerable code path at line 130–158 of CmdownloadController.php for unsanitized use of $_GET['CMDsearch'] passed directly into PHP's create_function(), enabling arbitrary code execution.
  • ·The vulnerability affects CM Download Manager versions 2.0.0 and earlier; version 2.0.4 contains the patch. Detection rules should be scoped to installations running versions prior to 2.0.4.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.