CVE-2024-10706 – This vulnerability allows high-privilege WordPr... (How to Fix)

Q: What is the severity of CVE-2024-10706?

CVE-2024-10706 has a CVSS score of 4.8 (MEDIUM). This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using the Download Manager plugin before version 3.3.03, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using the Download Manager plugin before version 3.3.03, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

WordPress Download Manager plugin

Versions: All versions before 3.3.03

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin-level access; particularly relevant for WordPress multisite installations where unfiltered_html capability is restricted.

📦 What is this software?

Download Manager by W3eden

View all CVEs affecting Download Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated admin could inject persistent XSS payloads that steal session cookies, redirect users to malicious sites, or perform actions as other users when they view plugin settings pages.

🟠

Likely Case

Malicious admin or compromised admin account injects tracking scripts or defaces the site through stored XSS in plugin settings.

🟢

If Mitigated

With proper user access controls and admin account security, impact is limited to settings pages only accessible to high-privilege users.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges; proof-of-concept details are publicly available in the WPScan reference.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.03

Vendor Advisory: https://wpscan.com/vulnerability/01193420-9a4c-4961-93b6-aa2e37e36be1/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Download Manager' and click 'Update Now'. 4. Verify version is 3.3.03 or later.

🔧 Temporary Workarounds

Temporary plugin deactivation

all

Disable the Download Manager plugin until patched

wp plugin deactivate download-manager

Restrict admin access

all

Tighten admin account security and implement multi-factor authentication

🧯 If You Can't Patch

Remove admin access from untrusted users and implement strict access controls
Install web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins, find Download Manager and verify version is below 3.3.03

Check Version:

wp plugin get download-manager --field=version

Verify Fix Applied:

After updating, confirm Download Manager version is 3.3.03 or higher in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying plugin settings
JavaScript payloads in plugin setting updates

Network Indicators:

Suspicious outbound connections from admin sessions after viewing plugin settings

SIEM Query:

source="wordpress" AND (event="plugin_settings_update" OR event="option_update") AND plugin="download-manager" AND user_role="administrator"

📊 Metadata

CVE ID: CVE-2024-10706

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: December 20, 2024

Last Updated: April 17, 2025

🔗 References

https://wpscan.com/vulnerability/01193420-9a4c-4961-93b6-aa2e37e36be1/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10706, you might also want to check these: