CVE-2024-5266
📋 TL;DR
The Download Manager Pro WordPress plugin has a stored XSS vulnerability in multiple shortcodes that allows authenticated attackers with contributor access or higher to inject malicious scripts. These scripts execute when users view pages containing the compromised shortcodes, potentially compromising visitor sessions or performing unauthorized actions. All WordPress sites using this plugin up to version 3.2.92 are affected.
💻 Affected Systems
- WordPress Download Manager Pro plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal session cookies or perform limited unauthorized actions when users view affected pages.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized and rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access (contributor or higher) and knowledge of vulnerable shortcodes. The vulnerability is in common WordPress functionality making exploitation straightforward for attackers with access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.93 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3096450/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Download Manager Pro' and click 'Update Now'. 4. Alternatively, download version 3.2.93+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcodes
allRemove or disable the wpdm_user_dashboard, wpdm_package, wpdm_packages, wpdm_search_result, and wpdm_tag shortcodes from all posts/pages
WordPress database query: UPDATE wp_posts SET post_content = REPLACE(post_content, '[wpdm_user_dashboard', '[disabled_wpdm_user_dashboard') WHERE post_content LIKE '%[wpdm_user_dashboard%';
Repeat for other vulnerable shortcodes
Restrict user roles
allTemporarily remove contributor-level access from untrusted users
WordPress admin: Users → All Users → Edit user → Role → Change to Subscriber
🧯 If You Can't Patch
- Immediately remove contributor and author access from all untrusted users
- Implement web application firewall rules to block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Download Manager Pro version. If version is 3.2.92 or lower, you are vulnerable.Check Version:
WordPress: wp plugin list --name='download-manager' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.2.93 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with shortcode parameters
- Multiple failed login attempts followed by successful contributor-level login
- Posts/pages being modified by contributor-level users with script tags in content
Network Indicators:
- HTTP requests containing malicious script payloads in shortcode attributes
- Outbound connections to suspicious domains from your WordPress site
SIEM Query:
source="wordpress.log" AND ("wpdm_user_dashboard" OR "wpdm_package" OR "wpdm_packages" OR "wpdm_search_result" OR "wpdm_tag") AND ("<script" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://plugins.trac.wordpress.org/changeset/3096450/#file24
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L255
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L315
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L337
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L63
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/views/link-templates/link-template-bsthumnail.php?rev=2558306#L5
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/Dashboard.php?rev=2799791#L32
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/Dashboard.php?rev=2799791#L71
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/views/dashboard/profile.php?rev=2558306#L79
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/wpdm-functions.php?rev=3052986#L216
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/wpdm-functions.php?rev=3052986#L261
- https://wordpress.org/plugins/download-manager/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e363a62-8d31-4140-878b-5034d6c7b6a1?source=cve
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_package-single-package-embed-short-code/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_packages-wp_query-in-a-shortcode-for-download-manager-packages/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_search_result-shows-search-form/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_tag-query-all-downloads-from-specified-tags/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_user_dashboard-user-dashboard-short-code/
- https://plugins.trac.wordpress.org/changeset/3096450/#file24
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L255
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L315
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L337
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/Shortcodes.php?rev=3052986#L63
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/Package/views/link-templates/link-template-bsthumnail.php?rev=2558306#L5
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/Dashboard.php?rev=2799791#L32
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/Dashboard.php?rev=2799791#L71
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/User/views/dashboard/profile.php?rev=2558306#L79
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/wpdm-functions.php?rev=3052986#L216
- https://plugins.trac.wordpress.org/log/download-manager/trunk/src/wpdm-functions.php?rev=3052986#L261
- https://wordpress.org/plugins/download-manager/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e363a62-8d31-4140-878b-5034d6c7b6a1?source=cve
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_package-single-package-embed-short-code/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_packages-wp_query-in-a-shortcode-for-download-manager-packages/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_search_result-shows-search-form/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_tag-query-all-downloads-from-specified-tags/
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_user_dashboard-user-dashboard-short-code/
