CVE-2021-34639

WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload

Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions.

We have discovered 26 live websites that are affected by CVE-2021-34639.

Affected Software


Product	WordPress Download Manager
Category	Wordpress Plugins
Vulnerable Versions	from 3.1.24 through 3.1.24
Total Vulnerable Versions	250
Vulnerable Domains	26 live websites (<0.1% of WordPress Download Manager install base)

Common Weakness Enumeration

CWE-646 Reliance on File Name or Extension of Externally-Supplied File

Distribution by Website Rank

The diagram provides a graphic representation of the correlation between the occurrence of CVE-2021-34639 and the relative popularity of websites

Available Reports

Website List

Details

Published - Aug 6, 2021
Updated - Aug 6, 2021

Credits

Ramuel Gall, Wordfence

CWE

CWE-646

CVE References

CWE References

cwe.mitre.org

Countries

United States	8 websites

Australia	3 websites
France	2 websites
Italy	2 websites
Japan	2 websites
Belgium	1 websites
Brazil	1 websites
Canada	1 websites
Cyprus	1 websites
Czech Republic	1 websites

TLDs

.com	10 websites
.org	4 websites
.it	2 websites
.be	1 websites
.co.jp	1 websites
.com.au	1 websites
.cz	1 websites
.de	1 websites
.fr	1 websites
.jp	1 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Geographical Distribution

The distribution of websites across the globe that are exposed to CVE-2021-34639 through included software libraries and plugins.

References

https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/

Websites affected by CVE-2021-34639

Top websites that are affected by CVE-2021-34639. Please click on the "Contact us" button above to get more information.

Domain	Country	Rank
*.********.com	Singapore	*,*
*.*******.*.au	Australia	,,*
*********.*.au	Australia	,,*
*********..jp	Japan	,,*
*********.com	United States	,,*
*.*******.com	Canada	,,*
*.*********.cz	Czech Republic	,,**
************.jp	Japan	,,**
****.*.ls	Lesotho	,,**
**********.*******.*.au	Australia	,,**

See full domain list

Domain	Country	Rank
*.********.com	Singapore	*,*
*.*******.*.au	Australia	,,*
*********.*.au	Australia	,,*
*********..jp	Japan	,,*
*********.com	United States	,,*
*.*******.com	Canada	,,*
*.*********.cz	Czech Republic	,,**
************.jp	Japan	,,**
****.*.ls	Lesotho	,,**
**********.*******.*.au	Australia	,,**