WordPress Plugin Vulnerabilities

Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download

Description

The plugin doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server

Proof of Concept

Affects Plugins

Plugin icon
aoa-downloadable
No known fix

References

CVE
CVE-2024-13617

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Aly Khaled
Submitter
Aly Khaled
Submitter website
https://0x41ly.github.io/
Submitter twitter
Aly_Khal3d
Verified
Yes
WPVDB ID
8d6dd979-21ef-4d14-9c42-bbd1d7b65c53

Timeline

Publicly Published
2025-03-04 (about 10 months ago)
Added
2025-03-04 (about 10 months ago)
Last Updated
2025-03-04 (about 10 months ago)

Other

Published
Title
Published
2022-11-10
Title
S2W - Import Shopify to WooCommerce < 1.1.13 - Admin+ Arbitrary File Access
Published
2025-12-11
Title
Secure Copy Content Protection and Content Locking < 4.9.3 - Unauthenticated Sensitive Information Exposure via Exposed CSV Export File
Published
2024-07-09
Title
Secure Downloads < 1.2.3 - Admin+ Arbitrary File Download
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents
Published
2025-11-20
Title
Import WP – Export and Import CSV and XML files to WordPress < 2.14.18 - Unauthenticated Information Exposure