Filtered by vendor Wpdownloadmanager
Subscriptions
Filtered by product Download Manager
Subscriptions
Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-4001 | 1 Wpdownloadmanager | 1 Download Manager | 2024-06-11 | 5.4 Medium |
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_modal_login_form' shortcode in all versions up to, and including, 3.2.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2023-1809 | 1 Wpdownloadmanager | 1 Download Manager | 2023-11-07 | 7.5 High |
The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. | ||||
CVE-2023-1524 | 1 Wpdownloadmanager | 1 Download Manager | 2023-11-07 | 6.5 Medium |
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password. | ||||
CVE-2022-45836 | 1 Wpdownloadmanager | 1 Download Manager | 2023-04-27 | 6.1 Medium |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions. | ||||
CVE-2022-2168 | 1 Wpdownloadmanager | 1 Download Manager | 2022-07-18 | 6.1 Medium |
The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting | ||||
CVE-2021-25069 | 1 Wpdownloadmanager | 1 Download Manager | 2022-02-28 | 8.8 High |
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue |
Page 1 of 1.