CVE-2024-2098

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

CVSS v3.1 Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

CWE-289 CWE-289

CWE-863 Incorrect Authorization

Affected Products

Vendor	Product	Versions
w3eden	download_manager	< 3.2.90

References

Advisories & Patches

https://plugins.trac.wordpress.org/changeset/3072712/download-manager https://plugins.trac.wordpress.org/changeset/3072712/download-manager

Other References

https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve

Frequently Asked Questions

What is CVE-2024-2098? +

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files. It has a CVSS v3.1 base score of 7.5 (HIGH).

How severe is CVE-2024-2098? +

CVE-2024-2098 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-2098? +

CVE-2024-2098 affects products from w3eden, specifically: download_manager. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-2098? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-13613 9.8

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This …

CVE-2024-56511 9.8

DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in …

CVE-2025-29266 9.6

Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if …

CVE-2024-55634 8.1

A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, …

CVE-2025-64343 7.8

(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, …

CVE-2024-11283 7.5

The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This …