W3Eden Download Manager vulnerabilities
48 known vulnerabilities affecting w3eden/download_manager.
Total CVEs
48
CISA KEV
0
Public exploits
8
Exploited in wild
2
Severity breakdown
HIGH16MEDIUM32
Vulnerabilities
Page 2 of 3
CVE-2023-1524P3MEDIUMCVSS 6.5fixed in 3.2.712023-05-30
CVE-2023-1524 [MEDIUM] CWE-284 CVE-2023-1524: The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for passw
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.
nvd
CVE-2021-34638P3MEDIUMCVSS 6.5≤ 3.1.242021-08-05
CVE-2021-34638 [MEDIUM] CWE-22 CVE-2021-34638: Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Cont
Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension
nvd
CVE-2022-36288P3HIGHCVSS 8.8≤ 3.2.482022-08-23
CVE-2022-36288 [HIGH] CWE-352 CVE-2022-36288: Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.
nvd
CVE-2024-56217P3MEDIUMCVSS 6.3fixed in 3.3.042024-12-31
CVE-2024-56217 [MEDIUM] CWE-862 CVE-2024-56217: Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting
Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.03.
nvd
CVE-2022-34347P4HIGHCVSS 8.8≤ 3.2.482022-08-22
CVE-2022-34347 [HIGH] CWE-352 CVE-2022-34347: Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at Word
Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.
nvd
CVE-2014-8585P4MEDIUMCVSS 5.0v1.1v1.2+102 more2014-11-04
CVE-2014-8585 [MEDIUM] CWE-59 CVE-2014-8585: Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remo
Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php.
nvd
CVE-2023-6785P4MEDIUMCVSS 5.3fixed in 3.2.852024-03-13
CVE-2023-6785 [MEDIUM] CWE-284 CVE-2023-6785: The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added
The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published).
nvd
CVE-2024-11768P4MEDIUMCVSS 5.3fixed in 3.3.042024-12-19
CVE-2024-11768 [MEDIUM] CWE-285 CVE-2024-11768: The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protect
The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.
nvd
CVE-2022-1985P4MEDIUMCVSS 6.1≤ 3.2.422022-06-13
CVE-2022-1985 [MEDIUM] CWE-79 CVE-2022-1985: The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in version
The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the 'frameid' parameter found in the ~/src/Package/views/shortcode-iframe.php file.
nvd
CVE-2017-18032P4MEDIUMCVSS 6.1fixed in 2.9.522018-01-16
CVE-2017-18032 [MEDIUM] CWE-79 CVE-2017-18032: The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_gener
The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php.
nvd
CVE-2024-5266P4MEDIUMCVSS 5.4fixed in 3.2.942024-06-12
CVE-2024-5266 [MEDIUM] CWE-79 CVE-2024-5266: The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_
The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_user_dashboard, wpdm_package, wpdm_packages, wpdm_search_result, and wpdm_tag shortcodes in all versions up to, and including, 3.2.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authe
nvd
CVE-2017-2216P4MEDIUMCVSS 6.1≤ 2.9.492017-07-07
CVE-2017-2216 [MEDIUM] CWE-79 CVE-2017-2216: Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remo
Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2022-2101P4MEDIUMCVSS 5.4≤ 3.2.462022-07-18
CVE-2022-2101 [MEDIUM] CWE-79 CVE-2022-2101: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on t
nvd
CVE-2023-2305P4MEDIUMCVSS 5.4fixed in 3.2.712023-06-09
CVE-2023-2305 [MEDIUM] CWE-79 CVE-2023-2305: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdm
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdm_members', 'wpdm_login_form', 'wpdm_reg_form' shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-
nvd
CVE-2022-4476P4MEDIUMCVSS 5.4fixed in 3.2.622023-01-16
CVE-2022-4476 [MEDIUM] CWE-79 CVE-2022-4476: The Download Manager WordPress plugin before 3.2.62 does not validate and escapes some of its shortc
The Download Manager WordPress plugin before 3.2.62 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.
nvd
CVE-2023-6954P4MEDIUMCVSS 5.4≤ 3.2.852024-03-13
CVE-2023-6954 [MEDIUM] CWE-79 CVE-2023-6954: The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p
The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to i
nvd
CVE-2024-6208P4MEDIUMCVSS 5.4fixed in 3.2.982024-07-31
CVE-2024-6208 [MEDIUM] CWE-79 CVE-2024-6208: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_all_packages' shortcode in all versions up to, and including, 3.2.97 due to insufficient input sanitization and output escaping on the 'cols' parameter. This makes it possible for authenticated attackers, with contributor-level access and above
nvd
CVE-2024-4160P4MEDIUMCVSS 5.4fixed in 3.2.902024-05-31
CVE-2024-4160 [MEDIUM] CWE-79 CVE-2024-4160: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm-all-packages' shortcode in all versions up to, and including, 3.2.90 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and a
nvd
CVE-2024-29114P4MEDIUMCVSS 5.4fixed in 3.2.852024-03-19
CVE-2024-29114 [MEDIUM] CWE-79 CVE-2024-29114: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in W3 Eden, Inc. Download Manager allows Stored XSS.This issue affects Download Manager: from n/a through 3.2.84.
nvd
CVE-2024-1766P4MEDIUMCVSS 5.4fixed in 3.2.872024-06-12
CVE-2024-1766 [MEDIUM] CWE-79 CVE-2024-1766: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that
nvd