W3eden Download Manager — known CVE vulnerabilities
Every CVE whose affected-product data names W3eden Download Manager, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (48)
CVE-2022-2436 — CVSS 8.8 (high): The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in…
CVE-2021-25069 — CVSS 8.8 (high): The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL…
CVE-2014-9260 — CVSS 8.8 (high): The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users to update every…
CVE-2022-2431 — CVSS 8.1 (high): The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to…
CVE-2023-1809 — CVSS 7.5 (high): The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to…
CVE-2021-25087 — CVSS 7.5 (high): The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing…
CVE-2022-2362 — CVSS 7.5 (high): The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR…
CVE-2024-2098 — CVSS 7.5 (high): The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the…
CVE-2022-0828 — CVSS 7.5 (high): The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an…
CVE-2021-34639 — CVSS 7.5 (high): Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double…
CVE-2023-6421 — CVSS 7.5 (high): The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
CVE-2024-11740 — CVSS 7.3 (high): The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03…
CVE-2024-29114 — CVSS 6.5 (medium): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in W3 Eden, Inc. Download Manager allows…
CVE-2023-1524 — CVSS 6.5 (medium): The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a…
CVE-2022-2101 — CVSS 6.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to…
CVE-2025-4367 — CVSS 6.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in…
CVE-2024-5266 — CVSS 6.4 (medium): The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_user_dashboard, wpdm_package…
CVE-2023-2305 — CVSS 6.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdm_members', 'wpdm_login_form'…
CVE-2023-6954 — CVSS 6.4 (medium): The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up…
CVE-2024-4160 — CVSS 6.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm-all-packages' shortcode in…
CVE-2024-6208 — CVSS 6.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_all_packages' shortcode in…
CVE-2017-2217 — CVSS 6.1 (medium): Open redirect vulnerability in WordPress Download Manager prior to version 2.9.51 allows remote attackers to redirect users to arbitrary…
CVE-2017-18032 — CVSS 6.1 (medium): The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to…
CVE-2017-2216 — CVSS 6.1 (medium): Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web…
CVE-2019-15889 — CVSS 6.1 (medium): The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or…
CVE-2022-1985 — CVSS 6.1 (medium): The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is…
CVE-2022-2168 — CVSS 6.1 (medium): The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the…
CVE-2022-4476 — CVSS 5.4 (medium): The Download Manager WordPress plugin before 3.2.62 does not validate and escapes some of its shortcode attributes before outputting them…
CVE-2022-36288 — CVSS 5.4 (medium): Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.
CVE-2021-24969 — CVSS 5.4 (medium): The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various…
CVE-2024-8444 — CVSS 5.4 (medium): The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting.
CVE-2025-1785 — CVSS 5.4 (medium): The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the…
CVE-2023-6785 — CVSS 5.3 (medium): The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to…
CVE-2024-11768 — CVSS 5.3 (medium): The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password…
CVE-2024-32131 — CVSS 5.3 (medium): Exposure of Sensitive Information to an Unauthorized Actor vulnerability in W3 Eden Inc. Download Manager allows Functionality Bypass.This…
CVE-2014-8585 — CVSS 5.0 (medium): Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files…
CVE-2024-8284 — CVSS 4.8 (medium): The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege…
CVE-2021-24773 — CVSS 4.8 (medium): The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing…
CVE-2024-10706 — CVSS 4.8 (medium): The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege…
CVE-2024-13126 — CVSS 4.6 (medium): The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing…
CVE-2024-1766 — CVSS 4.4 (medium): The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and…
CVE-2017-20093 — CVSS 4.3 (medium): A vulnerability, which was classified as problematic, was found in Download Manager Plugin 2.8.99. Affected is an unknown function. The…
CVE-2013-7319 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject…
CVE-2022-34347 — CVSS 4.2 (medium): Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.