CVE-2024-49315
📋 TL;DR
This path traversal vulnerability in CodeFlock's FREE DOWNLOAD MANAGER WordPress plugin allows attackers to delete arbitrary files on the server. It affects all WordPress sites using this plugin version 1.0.0 and earlier. Attackers can exploit this to delete critical system files or website content.
💻 Affected Systems
- CodeFlock FREE DOWNLOAD MANAGER WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise through deletion of WordPress core files, configuration files, or operating system files, leading to site destruction or server takeover.
Likely Case
Website defacement or disruption through deletion of WordPress theme/plugin files, media uploads, or database files.
If Mitigated
Limited impact if file permissions restrict write access to critical directories and web server runs with minimal privileges.
🎯 Exploit Status
Path traversal vulnerabilities are commonly exploited with simple HTTP requests. The Patchstack reference indicates public disclosure with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - plugin appears abandoned
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Deactivate FREE DOWNLOAD MANAGER plugin. 4. Delete the plugin completely. 5. Find alternative download manager plugin.
🔧 Temporary Workarounds
Disable Plugin
allImmediately deactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate free-download-manager
Restrict File Deletion
linuxConfigure web server to deny file deletion operations from web user
# In .htaccess for Apache: <FilesMatch "\.(php|inc|sql)$">
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove plugin files manually via FTP/SFTP if WordPress admin is inaccessible
- Implement web application firewall (WAF) rules to block path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin plugins page for FREE DOWNLOAD MANAGER version 1.0.0 or earlierCheck Version:
wp plugin list --name=free-download-manager --field=versionVerify Fix Applied:
Confirm plugin is completely removed from /wp-content/plugins/free-download-manager/ directory📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences
- File deletion operations in web server logs
- 404 errors for unexpectedly missing files
Network Indicators:
- HTTP POST requests to plugin endpoints with file path parameters
- Unusual file deletion patterns
SIEM Query:
source="web_server" AND (uri="*free-download-manager*" AND (uri="*../*" OR method="DELETE"))