WordPress Plugin Vulnerabilities

CM Download Manager < 2.8.0 - Authenticated Arbitrary File Deletion

Description

The plugin may allow authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action.

Affects Plugins

Plugin icon
cm-download-manager
Fixed in 2.8.0

References

CVE
CVE-2020-24146
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24146.md

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Suzhou Aurora Infinity Information Technology Co., Ltd.
Verified
Yes
WPVDB ID
bdf96338-e538-430f-822d-47639064d64f

Timeline

Publicly Published
2021-04-13 (about 5 years ago)
Added
2021-07-09 (about 4 years ago)
Last Updated
2022-04-12 (about 4 years ago)

Other

Published
Title
Published
2025-05-07
Title
Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.27 - Unauthenticated Arbitrary File Read
Published
2025-07-14
Title
Goza - Nonprofit Charity WordPress Theme < 3.2.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion
Published
2026-01-06
Title
EmailKit < 1.6.2 - Authenticated (Author+) Arbitrary File Read via Path Traversal
Published
2026-04-21
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters
Published
2025-12-05
Title
10Web Booster < 2.32.11 - Subscriber+ Arbitrary Folder Deletion