CVE-2024-11740
published 2024-12-19CVE-2024-11740: The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the…
PriorityP178high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.89%
76.9th percentile
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codename065 | download_manager | <= 3.3.03 | — |
| w3eden | download_manager | < 3.3.04 | 3.3.04 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for GET requests containing the `__wpdmxp` parameter with shortcode injection payload targeting the Download Manager plugin. ↗
- →Successful exploitation returns the string `wpdm-all-packages` and `wpdm-download-link download-on-click` in the HTTP response body. ↗
- →The vulnerable code path is in the plugin's Hooks.php (line 42) and shortcode-iframe.php (line 203), where `do_shortcode` is called without proper input validation. ↗
- →Unauthenticated requests (no authentication required) exploiting this vulnerability; no session cookie or nonce needed. ↗
- ·Affected versions are Download Manager plugin <= 3.3.03; version 3.3.04 and later are patched. Detections should be scoped to sites running vulnerable versions. ↗
- ·The Nuclei template uses a single HTTP request (max-request: 1), meaning detection is lightweight but relies on specific response body strings that may vary with theme/plugin configuration. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cq39-wq4r-hjrj: The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3
ghsa_unreviewed·2024-12-19
CVE-2024-11740 [HIGH] CWE-94 GHSA-cq39-wq4r-hjrj: The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
VulnCheck
w3eden download_manager Improper Control of Generation of Code ('Code Injection')
vulncheck·2024·CVSS 7.3
CVE-2024-11740 [HIGH] w3eden download_manager Improper Control of Generation of Code ('Code Injection')
w3eden download_manager Improper Control of Generation of Code ('Code Injection')
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected: w3eden download_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-11740
No detection rules found.
Nuclei
Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
nuclei·CVSS 7.3
CVE-2024-11740 [HIGH] Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Template:
id: CVE-2024-11740
info:
name: Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing use
https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/Hooks.php#L42https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/views/shortcode-iframe.php#L203https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=cve
2024-12-19
Published
Exploited in the wild