NVD Vulnerability Detail

CVE-2021-25069

Summary	The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
Publication Date	Feb. 21, 2022, 8:15 p.m.
Registration Date	Feb. 22, 2022, 10 a.m.
Last Update	Nov. 21, 2024, 2:54 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:wpdownloadmanager:download_manager::::::wordpress::*					3.2.34

Related information, measures and tools

No	URL	タグ
1	https://plugins.trac.wordpress.org/changeset/2656086	Release Notes Third Party Advisory
2	https://plugins.trac.wordpress.org/changeset/2656086	Release Notes Third Party Advisory
3	https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8	Exploit Third Party Advisory
4	https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8	Exploit Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Download Manager WordPress プラグインにおける SQL インジェクションの脆弱性

Title	Download Manager WordPress プラグインにおける SQL インジェクションの脆弱性
Summary	Download Manager WordPress プラグインには、SQL インジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 11, 2022, midnight
Registration Date	June 21, 2023, 10:43 a.m.
Last Update	June 21, 2023, 10:43 a.m.

Affected System

WordPress Download Manager

WordPress Download Manager 3.2.34 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-25069	https://www.cve.org/CVERecord?id=CVE-2021-25069
National Vulnerability Database (NVD)
2	CVE-2021-25069	https://nvd.nist.gov/vuln/detail/CVE-2021-25069

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
WordPress Plugin Changeset
1	Changeset 2656086	https://plugins.trac.wordpress.org/changeset/2656086
WordPress Plugin Directory
2	Download Manager	https://wordpress.org/plugins/download-manager/

その他

No	Name	URL
関連文書
1	WordPress Download Manager < 3.2.34 - Authenticated SQL Injection to Reflected XSS	https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8

Change Log

No	Changed Details	Date of change
1	[2023年06月21日] 掲載	June 21, 2023, 10:43 a.m.