Total
5 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-1524 | 1 Wpdownloadmanager | 1 Download Manager | 2023-12-10 | N/A | 6.5 MEDIUM |
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password. | |||||
CVE-2023-1809 | 1 Wpdownloadmanager | 1 Download Manager | 2023-12-10 | N/A | 7.5 HIGH |
The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. | |||||
CVE-2022-45836 | 1 Wpdownloadmanager | 1 Download Manager | 2023-12-10 | N/A | 6.1 MEDIUM |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions. | |||||
CVE-2022-2168 | 1 Wpdownloadmanager | 1 Download Manager | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting | |||||
CVE-2021-25069 | 1 Wpdownloadmanager | 1 Download Manager | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue |