CVE-2024-2098

HIGH

Download Manager <= 3.2.89 - Unauthenticated Password-Protected File Download via protectMediaLibrary Function

Title source: llm

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3072712/download-manager

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve

Scores

CVSS v3 7.5

EPSS 0.0045

EPSS Percentile 36.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-289 CWE-863

Status published

Products (2)

codename065/Download Manager < 3.2.89

w3eden/download_manager < 3.2.90

Published Jun 13, 2024

Tracked Since Feb 18, 2026