WordPress Plugin Vulnerabilities

WP-DownloadManager < 1.68.5 - Server-Side Request Forgery (SSRF)

Description

The plugin before version 1.68.5 is vulnerable to server-side request forgery (SSRF) attacks. This could allow an attacker identify open ports, network hosts and access web resources on a non-public facing network.

Affects Plugins

Plugin icon
wp-downloadmanager
Fixed in 1.68.5

References

CVE
CVE-2020-24141
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24141.md

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Suzhou Aurora Infinity Information Technology Co., Ltd
Verified
Yes
WPVDB ID
dcf85e73-7ff9-445f-ab2a-813094edcc04

Timeline

Publicly Published
2021-04-13 (about 5 years ago)
Added
2021-07-09 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2026-02-13
Title
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery
Published
2025-04-24
Title
Simple Google Photos Grid < 1.6 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2024-05-30
Title
Church Admin < 4.4.0 - Authenticated (Admin+) Server-Side Request Forgery
Published
2025-11-04
Title
WPeMatico RSS Feed Fetcher < 2.8.12 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed
Published
2024-04-16
Title
Really Simple SSL < 8.0.0 - Admin+ Server-Side Request Forgery