Download Manager Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode – CVE-2024-4001 | WordPress Plugin Vulnerability Report

Plugin Name: Download Manager

Key Information:

  • Software Type: Plugin
  • Software Slug: download-manager
  • Software Status: Active
  • Software Author: codename065
  • Software Downloads: 8,675,361
  • Active Installs: 100,000
  • Last Updated: June 11, 2024
  • Patched Versions: 3.2.94
  • Affected Versions: <= 3.2.93

Vulnerability Details:

  • Name: Download Manager <= 3.2.93
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-4001
  • CVSS Score: 6.4
  • Publicly Published: June 4, 2024
  • Researcher: Thanh Nam Tran
  • Description: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_modal_login_form' shortcode in all versions up to, and including, 3.2.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Download Manager plugin for WordPress has a vulnerability in versions up to and including 3.2.93 that allows authenticated contributors and higher to execute stored cross-site scripting attacks via the 'wpdm_modal_login_form' shortcode. This vulnerability has been patched in version 3.2.94.

Detailed Overview:

Authenticated users with contributor-level access or higher can exploit this vulnerability by injecting malicious scripts through the 'wpdm_modal_login_form' shortcode. This could lead to arbitrary script execution on affected pages, potentially compromising user data and site security. Immediate updating to version 3.2.94 or later is recommended to mitigate this risk.

Advice for Users:

  • Immediate Action: Update Download Manager to version 3.2.94 or later immediately.
  • Check for Signs of Vulnerability: Monitor site logs and look for unexpected script executions or unusual behavior.
  • Alternate Plugins: Consider temporarily switching to alternative plugins offering similar functionality until Download Manager is updated.
  • Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities.


The swift response from Download Manager's developers in releasing version 3.2.94 underscores the importance of prompt software updates in maintaining WordPress site security. Users are urged to update their installations to version 3.2.94 or newer without delay.


Detailed Report:

In today's interconnected digital landscape, the security of your website is paramount. One recent discovery, in particular, highlights the ongoing challenge of keeping WordPress plugins secure. The Download Manager plugin, widely used for managing file downloads on WordPress sites, has been found vulnerable to CVE-2024-4001. This flaw allows authenticated users with contributor-level access or higher to inject malicious scripts via the 'wpdm_modal_login_form' shortcode. Such vulnerabilities underscore the critical need for timely updates and proactive security measures to protect against potential exploits.


Exploitation of this vulnerability could lead to unauthorized script execution, compromising user privacy, damaging site reputation, and impacting overall site functionality. For small business owners, such incidents can result in loss of customer trust, legal liabilities, and significant downtime.

Previous Vulnerabilities:

Since December 7, 2013, Download Manager has experienced 48 vulnerabilities. Each instance underscores the importance of proactive security practices and staying updated with the latest software releases to mitigate risks effectively.

The Importance of Staying on Top of Security:

Small business owners often juggle multiple responsibilities, making it challenging to prioritize website security. However, neglecting updates and security patches can expose your business to significant risks. Cybercriminals actively target outdated software, exploiting known vulnerabilities to gain unauthorized access or disrupt operations. By staying proactive and maintaining up-to-date software, you not only protect sensitive customer data and preserve business continuity but also uphold your brand's reputation as a trusted online entity.


The Download Manager vulnerability serves as a stark reminder of the dynamic threat landscape facing WordPress site owners. For small business owners managing their online presence, staying informed about security vulnerabilities can be daunting amidst daily operations. However, investing in proactive security measures, such as regular updates and monitoring, is crucial to safeguarding your business's digital assets and maintaining customer trust. By prioritizing security and leveraging available resources, you can mitigate risks effectively and ensure a resilient online presence in an ever-evolving digital environment.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Download Manager Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode – CVE-2024-4001 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment