CVE-2024-32131 – This vulnerability in the WordPress Download Ma... (How to Fix)

Q: What is the severity of CVE-2024-32131?

CVE-2024-32131 has a CVSS score of 5.3 (MEDIUM). This vulnerability in the WordPress Download Manager plugin allows attackers to bypass password protection on files, exposing sensitive information to unauthorized users. It affects all WordPress sites using Download Manager versions up to 3.2.82.

📋 TL;DR

This vulnerability in the WordPress Download Manager plugin allows attackers to bypass password protection on files, exposing sensitive information to unauthorized users. It affects all WordPress sites using Download Manager versions up to 3.2.82.

💻 Affected Systems

Products:

WordPress Download Manager by W3 Eden Inc.

Versions: n/a through 3.2.82

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Download Manager plugin installed and using password-protected files.

📦 What is this software?

Download Manager by W3eden

View all CVEs affecting Download Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers download password-protected files containing sensitive data like customer information, financial records, or proprietary documents.

🟠

Likely Case

Unauthorized access to files that should be restricted, potentially exposing confidential business documents or user data.

🟢

If Mitigated

Limited exposure if files contain only public information or if additional access controls exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is publicly documented and relatively simple to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.83 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/download-manager/wordpress-download-manager-plugin-3-2-82-file-password-lock-bypass-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Download Manager and click 'Update Now'. 4. Verify version is 3.2.83 or higher.

🔧 Temporary Workarounds

Disable password-protected downloads

all

Temporarily remove password protection from sensitive files until patched.

Remove plugin

all

Deactivate and delete the Download Manager plugin if not essential.

🧯 If You Can't Patch

Implement web application firewall rules to block exploitation attempts
Move sensitive files to a separate, properly secured storage system

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Download Manager version.

Check Version:

wp plugin list --name='download-manager' --field=version

Verify Fix Applied:

Confirm Download Manager version is 3.2.83 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to password-protected download URLs
Multiple failed password attempts followed by successful downloads

Network Indicators:

Requests bypassing authentication parameters for download endpoints

SIEM Query:

source="wordpress.log" AND "download-manager" AND ("password" OR "auth") AND status=200

📊 Metadata

CVE ID: CVE-2024-32131

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: May 17, 2024

Last Updated: March 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32131, you might also want to check these: