WordPress Plugin Vulnerabilities

WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF

Description

The plugin did not have CSRF check in place before saving its Email Template setting, allowing attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.13

References

URL
https://plugins.trac.wordpress.org/changeset/2577634

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
115a6fd3-a723-4167-a9a3-379871f13fcb

Timeline

Publicly Published
2021-08-09 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2021-08-09 (about 4 years ago)

Other

Published
Title
Published
2025-11-30
Title
Rencontre < 3.13.8 - Cross-Site Request Forgery
Published
2022-02-23
Title
Amelia < 1.0.46 - Arbitrary Customer Deletion via CSRF
Published
2014-08-01
Title
Cool Video Gallery 1.8 - admin/gallery-manage.php Gallery Deletion CSRF
Published
2023-08-28
Title
Maintenance Switch <= 1.7.1 - Theme Files Creation/Deletion via CSRF
Published
2024-03-22
Title
Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing < 3.6.4 - Plugin Settings Update via CSRF