CVE-2024-11768

MEDIUM

WordPress Download Manager <3.3.03 - Info Disclosure

Title source: llm

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/__/Apply.php#L376

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/feb915f4-66d6-4f46-949c-5354e414319b?source=cve

Scores

CVSS v3 5.3

EPSS 0.0033

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (2)

codename065/Download Manager < 3.3.03

w3eden/download_manager < 3.3.04

Published Dec 19, 2024

Tracked Since Feb 18, 2026