Skip to main content

DS.DownloadList CVE-2024-50507

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2024-10-30 audit@patchstack.com
Deserialization
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Oct 30, 2024 - 08:15 nvd
N/A

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Daschmi DS.DownloadList dsdownloadlist allows Object Injection.This issue affects DS.DownloadList: from n/a through <= 1.3.

AnalysisAI

Remote code execution in the DS.DownloadList WordPress plugin (versions through 1.3) allows unauthenticated attackers to trigger PHP object injection via untrusted deserialization, leading to full site compromise. EPSS scores this at the 96th percentile (22.05%) for exploitation probability, indicating elevated likelihood of opportunistic attacks against unpatched WordPress installations, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Technical ContextAI

DS.DownloadList (slug: dsdownloadlist) is a WordPress plugin by Daschmi used for displaying downloadable file lists. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class of bug where PHP's unserialize() is invoked on attacker-controlled input. In WordPress, PHP object injection vulnerabilities become exploitable when a 'magic method' gadget chain (e.g., __wakeup, __destruct, __toString) exists in WordPress core, another plugin, or the theme - allowing the attacker to repurpose existing code to execute arbitrary commands, write files, or pivot to RCE. The CWE-502 classification combined with the 'Object Injection' wording in the description points to a classic unserialize() sink reachable from user input within the plugin's handlers.

Affected ProductsAI

The affected product is the DS.DownloadList WordPress plugin by Daschmi (slug: dsdownloadlist), with all versions from initial release through and including 1.3 marked vulnerable per the Patchstack advisory. No CPE string was provided in the input data, and no specific WordPress core or PHP version dependency was identified. The vendor advisory was reported by audit@patchstack.com and additional details are typically published at patchstack.com/database/vulnerability/dsdownloadlist.

RemediationAI

No vendor-released patch identified at time of analysis - the description states the issue affects versions 'from n/a through <= 1.3' without naming a fixed release. Administrators should immediately deactivate and remove the DS.DownloadList plugin from any WordPress site running version 1.3 or earlier and monitor the plugin's WordPress.org listing and Patchstack's advisory page for a future patched release. As compensating controls until a fix is published, restrict access to wp-admin and the site's front-end download endpoints via web application firewall rules that block serialized PHP payloads (patterns like 'O:' or 'a:' in request parameters cookies/POST bodies) - note this may produce false positives for other plugins that legitimately accept serialized data. Replacing the plugin with an actively maintained alternative download-list plugin is the most durable mitigation given the lack of a confirmed fix version.

Share

CVE-2024-50507 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy