WordPress Plugin Vulnerabilities

CM Download Manager < 2.9.0 - Download Deletion via CSRF

Description

The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
cm-download-manager
Fixed in 2.9.0

References

CVE
CVE-2024-1232
YouTube Video

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Sushmita Poudel
Submitter
Sushmita Poudel
Submitter website
https://susmitapoudel.com.np
Submitter twitter
poudelsushmita1
Verified
Yes
WPVDB ID
2a29b509-4cd5-43c8-84f4-f86251dd28f8

Timeline

Publicly Published
2024-03-04 (about 1 year ago)
Added
2024-03-04 (about 1 year ago)
Last Updated
2024-03-04 (about 1 year ago)

Other

Published
Title
Published
2022-03-08
Title
Analytics Cat < 1.1.0 - Settings Update via CSRF
Published
2023-09-13
Title
10Web Map Builder for Google Maps < 1.0.74 - Cross-Site Request Forgery to Notice Dismissal
Published
2024-04-15
Title
Paid Memberships Pro < 3.0.2 - Cross-Site Request Forgery
Published
2025-04-04
Title
Read More & Accordion < 3.4.8 - Local File Inclusion via CSRF
Published
2024-08-29
Title
GS Logo Slider < 3.7.1 - Settings Update via Cross-Site Request Forgery