CVE-2024-11740
Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode ExecutionThe The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
We have discovered 19,198 live websites that are affected by CVE-2024-11740.
Affected Software
| Product |  WordPress Download Manager |
| Category | Wordpress Plugins |
| Vulnerable Domains | 19,198 live websites (47.01% of WordPress Download Manager install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 140 versions ( 49.30% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Dec 19, 2024
- Updated - Dec 19, 2024
Credits
- Michael Mazzolini (finder)
CWE
CVE References
CWE References
CVE-2024-11740 usage by Country
 United States | 5,022 websites |
 Germany | 2,591 websites |
 Japan | 2,542 websites |
 France | 1,135 websites |
 Italy | 772 websites |
 GB | 582 websites |
 Spain | 529 websites |
 Poland | 402 websites |
 Netherlands | 352 websites |
 Russia | 302 websites |
CVE-2024-11740 usage by TLD
| .com | 6,786 websites |
| .org | 1,500 websites |
| .de | 1,331 websites |
| .it | 652 websites |
| .net | 648 websites |
| .jp | 555 websites |
| .fr | 373 websites |
| .co.uk | 351 websites |
| .nl | 342 websites |
| .pl | 303 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-11740
Top websites that are affected by CVE-2024-11740. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.pl | Poland | *,*** | |
| ****.pt |  Portugal | **,*** | |
| *****.org | United States | **,*** | |
| **.******.com | United States | **,*** | |
| **********.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| ********.org | United States | **,*** | |
| *******.hu |  Hungary | **,*** | |
| *****.***.br | United States | **,*** | |
| *********.com | Japan | **,*** |
FAQ
CVE-2024-11740 is Improper Control of Generation of Code ('Code Injection') in WordPress Download Manager
A total of 19,198 websites have been identified as vulnerable to CVE-2024-11740, discovered through global website indexing conducted by WebTechSurvey.
WordPress Download Manager is susceptible to CVE-2024-11740 vulnerability.
WordPress Download Manager versions before, and including, 3.3.3 are vulnerable to CVE-2024-11740.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4a7be578-5883-4cd3-963d-bf81c3af2003?source=cve
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/views/shortcode-iframe.php#L203
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.02/src/Package/Hooks.php#L42