Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-11740Code Injection in Download Manager

CWE-94Code Injection5 documents5 sources
Severity
7.3HIGHNVD
EPSS
10.6%
top 6.69%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
W3eden Download ManagerCodename065 Download Manager
Timeline
PublishedDec 19

Description

The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

🔴Vulnerability Details

3
CVEList
Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode Execution2024-12-19
GHSA
GHSA-cq39-wq4r-hjrj: The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 32024-12-19
VulnCheck
w3eden download_manager Improper Control of Generation of Code ('Code Injection')2024

💥Exploits & PoCs

1
Nuclei
Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
CVE-2024-11740 — Code Injection in Download Manager | cvebase