Lucene search
K

WordPress Download Manager < 3.3.07 - Unauthenticated Data Exposure

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 40 Views

WordPress Download Manager < 3.3.07 exposes files without htaccess, update to version 3.3.07 or later.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-13126
16 Mar 202506:46
circl
CNNVD
WordPress plugin Download Manager 安全漏洞
16 Mar 202500:00
cnnvd
CVE
CVE-2024-13126
16 Mar 202506:00
cve
Cvelist
CVE-2024-13126 Download Manager < 3.3.07 - Unauthenticated Data Exposure
16 Mar 202506:00
cvelist
EUVD
EUVD-2025-6518
3 Oct 202520:07
euvd
NVD
CVE-2024-13126
16 Mar 202506:15
nvd
OSV
CVE-2024-13126
16 Mar 202506:15
osv
Patchstack
WordPress Download Manager plugin <= 3.3.06 - Unauthenticated Information Disclosure via Unprotected Directory vulnerability
8 Mar 202503:55
patchstack
Positive Technologies
PT-2025-11379 · WordPress · Download Manager
16 Mar 202500:00
ptsecurity
RedhatCVE
CVE-2024-13126
18 Mar 202506:25
redhatcve
Rows per page
id: CVE-2024-13126

info:
  name: WordPress Download Manager < 3.3.07 - Unauthenticated Data Exposure
  author: ritikchaddha
  severity: medium
  description: |
    The WordPress Download Manager plugin before version 3.3.07 does not prevent directory listing on web servers that don't use htaccess, allowing unauthorized access to files stored in the download-manager-files directory.
  impact: |
    Unauthenticated attackers can access sensitive files stored in the download-manager-files directory due to directory listing, potentially exposing confidential documents or data.
  remediation: |
    Update the WordPress Download Manager plugin to version 3.3.07 or later.
  reference:
    - https://wpscan.com/vulnerability/c2c69a44-4ecc-41d1-a10c-cfe9c875b803/
    - https://research.cleantalk.org/cve-2024-13126/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-13126
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2024-13126
    cwe-id: CWE-552
    epss-score: 0.00453
    epss-percentile: 0.36241
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="wp-content/plugins/download-manager/"
    google-query: inurl:"/wp-content/plugins/download-manager/"
    shodan-query: html:"wp-content/plugins/download-manager/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,directory-listing,download-manager,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/uploads/download-manager-files/"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Index of /wp-content/uploads/download-"
          - "Last modified"
        condition: and
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d8faa9aa37488c93394d330d5902f822a7bd498441d41d659db783e2a3da2bfa02200bd2b68f8dcc279cef783b124e04cc3bdef3f4228d9cfe17e2a0f187e2ced1c1:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6Medium risk
Vulners AI Score6
CVSS 3.14.6
EPSS0.00453
SSVC
40