CVE-2024-35162 – Download Plugins and Themes from Dashboard <= 1.8.5 - Authenticated (Admin+) Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-35162
Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server. La vulnerabilidad de Path traversal existe en las versiones de Download Plugins and Themes from Dashboard anteriores a la 1.8.6. Si se explota esta vulnerabilidad, un atacante remoto autenticado con privilegio "switch_themes" puede obtener archivos arbitrarios en el servidor. The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.5 via the download_theme function. • https://jvn.jp/en/jp/JVN85380030 https://wordpress.org/plugins/download-plugins-dashboard • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-17239 – Download Plugins and Themes from Dashboard <= 1.5.0 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17239
includes/settings/class-alg-download-plugins-settings.php in the download-plugins-dashboard plugin through 1.5.0 for WordPress has multiple unauthenticated stored XSS issues. El archivo includes/settings/class-alg-download-plugins-settings.php en el plugin download-plugins-dashboard versiones hasta 1.5.0 para WordPress, presenta múltiples problemas de tipo XSS almacenado no autenticado. • https://wordpress.org/plugins/download-plugins-dashboard/#developers https://wpvulndb.com/vulnerabilities/9896 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •