CVE-2024-11740
Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode ExecutionThe The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
We have discovered 11,159 live websites that are affected by CVE-2024-11740.
Affected Software
| Product |  Download Manager |
| Category | Wordpress Plugins |
| Vulnerable Domains | 11,159 live websites (33% of Download Manager install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 201 versions ( 81% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Dec 19, 2024
- Updated - Apr 8, 2026
Credits
- Michael Mazzolini (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-11740 United States | 1,972 websites |
 Japan | 1,406 websites |
 Germany | 1,132 websites |
 Italy | 1,090 websites |
 France | 532 websites |
 Spain | 426 websites |
 GB | 376 websites |
 Russia | 281 websites |
 Poland | 232 websites |
 Brazil | 223 websites |
Website Distribution by TLD
Number of websites using CVE-2024-11740| .com | 3,684 websites |
| .org | 863 websites |
| .it | 739 websites |
| .de | 653 websites |
| .net | 356 websites |
| .jp | 334 websites |
| .ru | 225 websites |
| .fr | 218 websites |
| .eu | 201 websites |
| .co.jp | 196 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-11740
Top websites that are affected by CVE-2024-11740. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.pl | Poland | *,*** | |
| ****.pt |  Portugal | **,*** | |
| *****.org | United States | **,*** | |
| **********.com | United States | **,*** | |
| ********.org | United States | **,*** | |
| *****.***.br | Brazil | **,*** | |
| *********.com | Japan | **,*** | |
| ***********************.org | United States | **,*** | |
| *********.org | United States | ***,*** | |
| *************.com | United States | ***,*** |
FAQ
CVE-2024-11740 is Improper Control of Generation of Code ('Code Injection') in Download Manager
A total of 11,159 websites have been identified as vulnerable to CVE-2024-11740, based on global website indexing conducted by WebTechSurvey.
The Download Manager is affected by the CVE-2024-11740 vulnerability.
Download Manager versions up to and including 3.3.3 are vulnerable to CVE-2024-11740.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=cve
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/views/shortcode-iframe.php#L203
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/Hooks.php#L42