This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_114013Download Manager Plugin for WordPress < 3.2.34 Multiple Vulnerabilities
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.9%
The WordPress Download Manager Plugin installed on the remote host is affected by multiple vulnerabilities:
-
A Authenticated SQL Injection in the package_ids parameter leading to reflected Cross-Site Scripting (XSS) (CVE-2021-25069).
-
Weak Master Download key permits attackers to brute force the key with reasonable resources & bypass role or password based protections for downloads. (CVE-2022-0828)
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data| Vendor | Product | Version | CPE |
|---|---|---|---|
| wpdownloadmanager | download_manager | * | cpe:2.3:a:wpdownloadmanager:download_manager:*:*:*:*:*:wordpress:*:* |
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.9%