CVE-2024-11768 — Improper Authorization in Download Manager

CWE-285 — Improper Authorization3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 56.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

W3eden Download Manager Codename065 Download Manager

Timeline

PublishedDec 19

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDw3eden/download_manager< 3.3.04

▶CVEListV5codename065/download_manager3.3.03

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Download manager <= 3.3.03 - Improper Authorization to Unauthenticated Download of Password-Protected Files↗2024-12-19

▶

GHSA

GHSA-c59h-89fr-559v: The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on↗2024-12-19

▶