CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30910 – WordPress CM Download Manager plugin <= 2.9.6 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2025-30910
27 Mar 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions CM Download Manager allows Path Traversal. This issue affects CM Download Manager: from n/a through 2.9.6. The CM Download Manager – Simplify file sharing with powerful download management plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletescreenshot() function in all versions up to, and including, 2.9.6. This makes it possibl... • https://patchstack.com/database/wordpress/plugin/cm-download-manager/vulnerability/wordpress-cm-download-manager-plugin-2-9-6-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1231 – CM Download and File Manager < 2.9.0 - Download Unpublish via CSRF
https://notcve.org/view.php?id=CVE-2024-1231
25 Mar 2024 — The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack El complemento CM Download Manager de WordPress anterior a 2.9.0 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los administradores registrados anulen la publicación de las descargas mediante un ataque CSRF. The CM Download Manager plugin for WordPress is vulnerable to Cros... • https://wpscan.com/vulnerability/7d3968d9-61ed-4c00-8764-0360cf03255e • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1232 – CM Download Manager < 2.9.0 - Download Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-1232
25 Mar 2024 — The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack El complemento CM Download Manager de WordPress anterior a 2.9.0 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los administradores registrados eliminen las descargas mediante un ataque CSRF. The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forg... • https://wpscan.com/vulnerability/2a29b509-4cd5-43c8-84f4-f86251dd28f8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1962 – CM Download and File Manager < 2.9.1 - Download Edit via CSRF
https://notcve.org/view.php?id=CVE-2024-1962
25 Mar 2024 — The CM Download Manager WordPress plugin before 2.9.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack El complemento CM Download Manager de WordPress anterior a 2.9.1 no tiene controles CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los administradores registrados editen las descargas a través de un ataque CSRF. The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in... • https://wpscan.com/vulnerability/469486d4-7677-4d66-83c0-a6b9ac7c503b • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3076 – CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-3076
05 Sep 2022 — The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. El plugin CM Download Manager de WordPress versiones anteriores a 2.8.6, permite a usuarios con altos privilegios, como los administradores, subir archivos arbitrarios estableciendo cualquier extensión por medio de la configuración del plugin, lo que pod... • https://wpscan.com/vulnerability/d18e695b-4d6e-4ff6-a060-312594a0d2bd • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24145 – CM Download Manager <= 2.7.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-24145
13 Apr 2021 — Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot action. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en el plugin CM Download Manager (también se conoce como cm-download-manager) versión 2.7.0 para WordPress, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio de una acción deletescreenshot diseñada The CM Do... • https://github.com/secwx/research/blob/main/cve/CVE-2020-24145.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24146 – CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service
https://notcve.org/view.php?id=CVE-2020-24146
13 Apr 2021 — Directory traversal in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action. Un salto de Directorio en el plugin CM Download Manager (también se conoce como cm-download-manager) versión 2.7.0 para WordPress, permite a usuarios autorizados eliminar archivos arbitrarios y posiblemente causar una denegación de servicio por medio del parámetro f... • https://github.com/secwx/research/blob/main/cve/CVE-2020-24146.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-27344 – CM Download Manager <= 2.7.0 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-27344
21 Oct 2020 — The cm-download-manager plugin before 2.8.0 for WordPress allows XSS. El plugin cm-download-manager versiones anteriores a 2.8.0 para WordPress, permite un ataque de tipo XSS The CM Download Manager plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the ‘filename’ parameter in versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping. This makes it possible for highly privileged attackers to inject arbitrary web scripts in pages that wil... • https://gist.github.com/qwebee/da79c6a9fa982c3c40988a1e0598c0d9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 2CVE-2014-9129 – CM Download Manager <= 2.0.6 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9129
01 Dec 2014 — Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php. Vulnerabilidad de CSRF en el plugin CreativeMinds CM Downloads Manager anterior a 2.0.7 para WordPress permite a atacantes remotos secuestrar la autenticación de administ... • https://packetstorm.news/files/id/129357 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 37%CPEs: 4EXPL: 3CVE-2014-8877 – CM Download Manager <= 2.0.3 - Code Injection
https://notcve.org/view.php?id=CVE-2014-8877
10 Nov 2014 — The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function. La función alterSearchQuery en lib/controllers/CmdownloadController.php en el plugin CreativeMinds CM Downloads Manager anterior a 2.0.4 para WordPress permite a atacantes remotos ejecutar código PHP arbitra... • https://packetstorm.news/files/id/129183 • CWE-94: Improper Control of Generation of Code ('Code Injection') •