Download Manager Plugin up to 3.2.89 on WordPress protectMediaLibrary improper authorization

Summaryinfo

A vulnerability has been found in Download Manager Plugin up to 3.2.89 on WordPress and classified as critical. Affected is the function protectMediaLibrary. This manipulation causes improper authorization. This vulnerability is handled as CVE-2024-2098. The attack can be initiated remotely. There is not any exploit available.

Detailsinfo

A vulnerability classified as critical was found in Download Manager Plugin up to 3.2.89 on WordPress. Affected by this vulnerability is the function protectMediaLibrary. The manipulation with an unknown input leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

The advisory is shared at wordfence.com. This vulnerability is known as CVE-2024-2098 since 03/01/2024. The exploitation appears to be easy. The attack can be launched remotely. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/12/2025). MITRE ATT&CK project uses the attack technique T1548.002 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• WordPress Plugin

Name

• Download Manager Plugin

Version

• 3.2.0
• 3.2.1
• 3.2.2
• 3.2.3
• 3.2.4
• 3.2.5
• 3.2.6
• 3.2.7
• 3.2.8
• 3.2.9
• 3.2.10
• 3.2.11
• 3.2.12
• 3.2.13
• 3.2.14
• 3.2.15
• 3.2.16
• 3.2.17
• 3.2.18
• 3.2.19
• 3.2.20
• 3.2.21
• 3.2.22
• 3.2.23
• 3.2.24
• 3.2.25
• 3.2.26
• 3.2.27
• 3.2.28
• 3.2.29
• 3.2.30
• 3.2.31
• 3.2.32
• 3.2.33
• 3.2.34
• 3.2.35
• 3.2.36
• 3.2.37
• 3.2.38
• 3.2.39
• 3.2.40
• 3.2.41
• 3.2.42
• 3.2.43
• 3.2.44
• 3.2.45
• 3.2.46
• 3.2.47
• 3.2.48
• 3.2.49
• 3.2.50
• 3.2.51
• 3.2.52
• 3.2.53
• 3.2.54
• 3.2.55
• 3.2.56
• 3.2.57
• 3.2.58
• 3.2.59
• 3.2.60
• 3.2.61
• 3.2.62
• 3.2.63
• 3.2.64
• 3.2.65
• 3.2.66
• 3.2.67
• 3.2.68
• 3.2.69
• 3.2.70
• 3.2.71
• 3.2.72
• 3.2.73
• 3.2.74
• 3.2.75
• 3.2.76
• 3.2.77
• 3.2.78
• 3.2.79
• 3.2.80
• 3.2.81
• 3.2.82
• 3.2.83
• 3.2.84
• 3.2.85
• 3.2.86
• 3.2.87
• 3.2.88
• 3.2.89

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion