CVE-2021-24969

CVE-2021-24969: Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting

Vendor Unknown

Product WordPress Download Manager

Weakness CWE-79 · XSS

Published December 27, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks

Key dates

02Disclosure timeline

December 27, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24969 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-6264 Post Meta Data Manager <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2026-48227 Open ISES Tickets < 3.44.2 Reflected XSS via patient.php id and ticket_id Parameters CVE-2025-68845 WordPress eDS Responsive Menu plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-46878 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-53978 myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements