WordPress Plugin Vulnerabilities

Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution

Description

The plugin is vulnerable to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.3.04

References

CVE
CVE-2024-11740
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.3 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
c76d1e78-7033-41a5-b928-6e0303e5e341

Timeline

Publicly Published
2024-12-18 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2024-12-19 (about 1 year ago)

Other

Published
Title
Published
2026-03-20
Title
Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution
Published
2026-01-15
Title
Event Tickets with Ticket Scanner < 2.8.6 - Unauthenticated Remote Code Execution
Published
2026-03-02
Title
Widget Options <= 4.1.3 - Contributor+ Remote Code Execution
Published
2022-12-23
Title
User Post Gallery <= 2.19 - Unauthenticated RCE
Published
2025-12-02
Title
Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form