Download Manager
Monthly
Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.