WordPress Plugin Vulnerabilities

Download Manager < 3.2.85 - Unauthenticated File Download

Description

The plugin is vulnerable to unauthorized file download of files added via the plugin, allowing unauthenticated attackers to download files added with the plugin (even when privately published).

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.85

References

CVE
CVE-2023-6785
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7b3608ca-8ed6-46ff-8e57-d8b68f91b9f2

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
aca8c687-2378-4447-b311-c2547076e4fd

Timeline

Publicly Published
2024-02-28 (about 2 years ago)
Added
2024-02-29 (about 2 years ago)
Last Updated
2024-02-29 (about 2 years ago)

Other

Published
Title
Published
2024-08-26
Title
NitroPack < 1.16.8 - Unauthenticated Arbitrary Shortcode Execution
Published
2021-09-06
Title
WordPress Automatic < 3.53.3 - Unauthenticated Arbitrary Options Update
Published
2020-07-07
Title
Adning Advertising < 1.5.6 - Unauthenticated Arbitrary File Upload/Deletion
Published
2024-12-04
Title
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins < 2.0.59 - Sensitive Information Exposure
Published
2024-02-02
Title
EventPrime < 3.4.0 - Improper Input Validation via save_event_booking