{"api_version":"1","generated_at":"2026-05-06T07:32:47+00:00","cve":"CVE-2024-2098","urls":{"html":"https://cve.report/CVE-2024-2098","api":"https://cve.report/api/cve/CVE-2024-2098.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-2098","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-2098"},"summary":{"title":"Download Manager <= 3.2.89 - Improper Authorization via protectMediaLibrary","description":"The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-06-13 06:15:09","updated_at":"2026-04-08 17:18:29"},"problem_types":["CWE-289","CWE-863","CWE-289 CWE-289 Authentication Bypass by Alternate Name"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3072712/download-manager","name":"https://plugins.trac.wordpress.org/changeset/3072712/download-manager","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2098","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2098","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"codename065","product":"Download Manager","version":"affected 3.2.89 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-03-11T00:00:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2024-06-12T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Moritz Öhrlein","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"2098","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"w3eden","cpe5":"download_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"free","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-2098","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-06-13T14:53:39.905967Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-13T14:53:50.431Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T19:03:38.699Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/3072712/download-manager"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Download Manager","vendor":"codename065","versions":[{"lessThanOrEqual":"3.2.89","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Moritz Öhrlein"}],"descriptions":[{"lang":"en","value":"The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files."}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-289","description":"CWE-289 Authentication Bypass by Alternate Name","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:36:33.116Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1301c8af-d81a-40f1-96fa-e8252309d8a4?source=cve"},{"url":"https://plugins.trac.wordpress.org/changeset/3072712/download-manager"}],"timeline":[{"lang":"en","time":"2024-03-11T00:00:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2024-06-12T00:00:00.000Z","value":"Disclosed"}],"title":"Download Manager <= 3.2.89 - Improper Authorization via protectMediaLibrary"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-2098","datePublished":"2024-06-13T05:34:44.893Z","dateReserved":"2024-03-01T15:59:07.828Z","dateUpdated":"2026-04-08T16:36:33.116Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-06-13 06:15:09","lastModifiedDate":"2026-04-08 17:18:29","problem_types":["CWE-289","CWE-863","CWE-289 CWE-289 Authentication Bypass by Alternate Name"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:w3eden:download_manager:*:*:*:*:free:wordpress:*:*","versionEndExcluding":"3.2.90","matchCriteriaId":"58C81973-4610-407B-A1D8-5F63D9A3D062"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"2098","Ordinal":"1","Title":"Download Manager <= 3.2.89 - Improper Authorization via protectM","CVE":"CVE-2024-2098","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"2098","Ordinal":"1","NoteData":"The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.","Type":"Description","Title":"Download Manager <= 3.2.89 - Improper Authorization via protectM"}]}}}