WordPress Security: Serious Vulnerability in WordPress Download Manager

There is a serious vulnerability in the WordPress Download Manager plugin that allows a remote attacker to upload malicious scripts to your website, gain administrative access and modify passwords.

The vulnerability exists in versions of WordPress Download Manager older than 2.7.5. The Changelog confirms this has been fixed as of version 2.7.5.

The Problem:

WP Download manager was allowing unauthenticated ajax calls to execute arbitrary functions. This would allow an attacker to upload arbitrary files and perform a variety of other malicious tasks.

What to do:

Upgrade to WordPress Download Manager version 2.7.5 which is the newest version at the time of writing. The author has also confirmed that the newest version of WP Download Manager Pro has also been fixed.

Please spread the word in the WP community to ensure anyone using this plugin upgrades to the newest version promptly.

 

Did you enjoy this post? Share it!

Comments

8 Comments
  • Thanks.

  • Thank you so much!

  • Wordfence Thanks!!!

  • Thanks.

    These near-constant security holes are souring me on continuing to recommend Wordpress. Just ran into an issue where a family member's web site was hacked because their premium theme depended upon another premium plugin, revslider.

  • Hi Guys. It would look as if my site has been hacked in this way. I have lost all access through two different admin passwords and if i check my error-log file it seems to have problems with the database.
    There are some slight changes to the home page but other than that I cant see anything else.
    Is there anyway of fixing this or do I have to go back to a backup before it occurred.

    Cheers

  • Thanks wordfence

  • thanks wordfance, keep going!