WordPress Plugin Vulnerabilities

FREE DOWNLOAD MANAGER <= 1.0.0 - Unauthenticated Arbitrary File Download

Description

The FREE DOWNLOAD MANAGER plugin for WordPress is vulnerable to Arbitrary File Downloads in all versions up to, and including, 1.0.0 via the download_stats_updated() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
free-download-manager
No known fix

References

CVE
CVE-2024-49315
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/52943f74-d0a6-43d2-a8e6-d9fd90925b3e

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
f2af0ddd-098c-472c-a547-2852ace3323e

Timeline

Publicly Published
2024-10-15 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-10-18 (about 1 year ago)

Other

Published
Title
Published
2026-04-07
Title
Advanced Members for ACF < 1.2.6 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Unauthenticated Path Traversal to Arbitrary File Deletion
Published
2016-08-23
Title
Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)
Published
2021-04-05
Title
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion
Published
2025-10-14
Title
XStore | Multipurpose WooCommerce Theme < 9.6 - Authenticated (Subscriber+) Local File Inclusion