CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44760 – WordPress WP-DownloadManager plugin <= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-44760
Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions. Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS)Reflejado y Autenticado en el plugin WP-DownloadManager de WordPress (versiones anteriores a 1.68.6 incluyéndola) Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). • https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24141 – WP-DownloadManager <= 1.68.4 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-24141
Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services Una vulnerabilidad de tipo Server-side request forgery en el plugin WP-DownloadManager versión 1.68.4 para WordPress, permite a un atacante enviar peticiones diseñadas desde el servidor back-end de una aplicación web vulnerable por medio del parámetro file_remote del archivo download-add.php. Puede ayudar a identificar puertos abiertos, hosts de la red local y ejecutar comandos en los servicios • https://github.com/secwx/research/blob/main/cve/CVE-2020-24141.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 2CVE-2014-9260 – WordPress Download Manager <= 2.7.2 - Authenticated Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2014-9260
The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users to update every WordPress option. La función basic_settings en el plugin de administración de descargas para WordPress en versiones anteriores a la 2.7.3 permite que atacantes remotos autenticados actualicen todas las opciones de WordPress. WordPress Download Manager plugin version 2.7.2 suffers from a privilege escalation vulnerability. • https://www.exploit-db.com/exploits/36301 http://packetstormsecurity.com/files/130690/WordPress-Download-Manager-2.7.2-Privilege-Escalation.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •