CVE-2019-15889

moderate-risk

Published 2019-09-03

The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.

Do I need to act?

5.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

47350

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Download Manager

Affected Vendors

W3Eden

References (14)

http://packetstormsecurity.com/files/154356/WordPress-Download-Manager-2.9.93-Cr...

Exploit https://packetstormsecurity.com/files/152511/WordPress-Download-Manager-2.9.92-C...

Exploit https://packetstormsecurity.com/files/152552/WordPress-Download-Manager-2.9.93-C...

Patch https://plugins.trac.wordpress.org/changeset/2070388/download-manager

Product https://wordpress.org/plugins/download-manager/#developers

Exploit https://wpvulndb.com/vulnerabilities/9257

Third Party Advisory https://www.cybersecurity-help.cz/vdb/SB2019041819

http://packetstormsecurity.com/files/154356/WordPress-Download-Manager-2.9.93-Cr...

Exploit https://packetstormsecurity.com/files/152511/WordPress-Download-Manager-2.9.92-C...

Exploit https://packetstormsecurity.com/files/152552/WordPress-Download-Manager-2.9.93-C...

Patch https://plugins.trac.wordpress.org/changeset/2070388/download-manager

Product https://wordpress.org/plugins/download-manager/#developers

Exploit https://wpvulndb.com/vulnerabilities/9257

Third Party Advisory https://www.cybersecurity-help.cz/vdb/SB2019041819

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 9/34 · Low

Exposure 5/34 · Minimal