CVE-2024-6208
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Download Manager plugin's 'wpdm_all_packages' shortcode. The scripts are stored and execute whenever other users view the compromised pages, potentially leading to session hijacking, credential theft, or malware distribution. All WordPress sites using Download Manager versions up to 3.2.97 are affected.
💻 Affected Systems
- WordPress Download Manager plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious scripts steal user session cookies or credentials, redirect users to phishing pages, or deface website content.
If Mitigated
With proper user role management and content review processes, impact is limited to defacement or minor data leakage from lower-privileged users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges. Proof of concept is publicly available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.98
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3126662/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Download Manager' and click 'Update Now'. 4. Verify version is 3.2.98 or higher.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'wpdm_all_packages' shortcode usage across the site
Restrict user roles
allTemporarily restrict contributor-level users from creating or editing posts
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Enable WordPress security plugins with XSS protection and monitor for suspicious post/page edits
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Download Manager version. If version is 3.2.97 or lower, you are vulnerable.Check Version:
wp plugin list --name='download-manager' --field=versionVerify Fix Applied:
After updating, confirm Download Manager version is 3.2.98 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor-level users
- Suspicious shortcode usage in content
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Unexpected script tags in page responses containing 'cols' parameter
- External script loads from unusual domains in page content
SIEM Query:
source="wordpress" (event="post_edit" OR event="page_edit") user_role="contributor" content="*wpdm_all_packages*"🔗 References
- https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/Package/views/all-packages-shortcode.php?rev=3097323#L10
- https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/Package/views/all-packages-shortcode.php?rev=3097323#L302
- https://plugins.trac.wordpress.org/changeset/3126662/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7c67d2f8-d918-42ef-a301-27eed7fa41b2?source=cve
