WordPress Plugin Vulnerabilities

Download Manager < 3.2.90 - Improper Authorization via protectMediaLibrary

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.90

References

CVE
CVE-2024-2098
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
7.5 (high)

Miscellaneous

Original Researcher
m1tz
Verified
No
WPVDB ID
410a67f8-cd76-4576-9d0a-86877085c497

Timeline

Publicly Published
2024-06-12 (about 1 year ago)
Added
2024-06-14 (about 1 year ago)
Last Updated
2024-06-14 (about 1 year ago)

Other

Published
Title
Published
2016-06-24
Title
Welcart e-Commerce < 1.8.3 - Session Management
Published
2022-10-24
Title
tagDiv Composer < 3.5 - Unauthenticated Account Takeover
Published
2024-10-09
Title
WP Users Masquerade <= 2.0.0 - Authentication Bypass
Published
2026-05-01
Title
User Verification by PickPlugins < 2.0.47 - Unauthenticated Authentication Bypass via OTP Verification
Published
2025-06-26
Title
Simple Payment 1.3.6 - 2.3.8 - Authentication Bypass to Admin