VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Mar 27, 2025

CM Download Manager – Organize, Protect & Share Files in WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin CM Download Manager – Organize, Protect & Share Files in WordPress (`cm-download-manager`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-30910, CVE-2024-1231 and CVE-2024-1962, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
4
Patch Coverage
100%
Last Updated
Apr 02, 2025
Priority CVE Quick Links

Fast paths into CM Download Manager – Organize, Protect & Share Files in WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2014-8877 Critical 2.0.4
CVE-2014-8877 CM Download Manager – Organize, Protect & Share Files in WordPress Vulnerability

CM Download Manager <= 2.0.3 - Code Injection

CVE-2025-30910 Critical 3.0.0
CVE-2025-30910 CM Download Manager – Organize, Protect & Share Files in WordPress Remote Code Execution

CM Download Manager <= 2.9.6 - Unauthenticated Arbitrary File Deletion

CVE-2020-24146 High 2.8.0
CVE-2020-24146 CM Download Manager – Organize, Protect & Share Files in WordPress Vulnerability

CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service

CVE-2022-3076 High 2.8.6
CVE-2022-3076 CM Download Manager – Organize, Protect & Share Files in WordPress Remote Code Execution

CM Download Manager <= 2.8.5 - Authenticated (Administrator+) Arbitrary File Upload

CVE-2020-24145 Medium 2.8.0
CVE-2020-24145 CM Download Manager – Organize, Protect & Share Files in WordPress Cross-Site Scripting

CM Download Manager <= 2.7.0 - Cross-Site Scripting

CVE-2014-9129 Medium 2.0.7
CVE-2014-9129 CM Download Manager – Organize, Protect & Share Files in WordPress Cross-Site Scripting

CM Download Manager <= 2.0.6 - Cross-Site Request Forgery to Cross-Site Scripting

CVE-2020-27344 Medium 2.8.0
CVE-2020-27344 CM Download Manager – Organize, Protect & Share Files in WordPress Stored Cross-Site Scripting

CM Download Manager <= 2.7.0 - Authenticated Stored Cross-Site Scripting

CVE-2024-1231 Medium 2.9.0
CVE-2024-1231 CM Download Manager – Organize, Protect & Share Files in WordPress Cross-Site Request Forgery

CM Download Manager < 2.9.0 - Cross-Site Request Forgery via unpublishHeader

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for CM Download Manager – Organize, Protect & Share Files in WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
2 critical and 2 high severity findings.
Recent CVEs
CVE-2025-30910, CVE-2024-1231 and CVE-2024-1962
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for CM Download Manager – Organize, Protect & Share Files in WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2025-30910
CVE-2025-30910: CM Download Manager <= 2.9.6 - Unauthenticated Arbitrary File Deletion

The CM Download Manager – Simplify file sharing with powerful download management plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletescreenshot() function in all versions up to, and including, 2.9.6. This makes it p...

Published
Mar 27, 2025
Patched Release
3.0.0
Affected Versions
Versions up to 2.9.6
Next Step
Update to 3.0.0 or newer if supported.
Open CVE-2025-30910 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1231
CVE-2024-1231: CM Download Manager < 2.9.0 - Cross-Site Request Forgery via unpublishHeader

The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 2.9.0. This is due to missing or incorrect nonce validation on the 'unpublishHeader' function. This makes it possible for unauthenticated attackers to unpublish downloads vi...

Published
Mar 25, 2024
Patched Release
2.9.0
Affected Versions
Versions before 2.9.0
Next Step
Update to 2.9.0 or newer if supported.
Open CVE-2024-1231 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1962
CVE-2024-1962: CM Download Manager < 2.9.1 - Cross-Site Request Forgery via editHeader

The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 2.9.1. This is due to missing or incorrect nonce validation on the 'editHeader' function. This makes it possible for unauthenticated attackers to edit downloads via a forged...

Published
Mar 25, 2024
Patched Release
2.9.1
Affected Versions
Versions before 2.9.1
Next Step
Update to 2.9.1 or newer if supported.
Open CVE-2024-1962 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1232
CVE-2024-1232: CM Download Manager < 2.9.0 - Cross-Site Request Forgery via delHeader

The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 2.9.0. This is due to missing or incorrect nonce validation on the 'delHeader' function. This makes it possible for unauthenticated attackers to delete downloads via a forge...

Published
Mar 25, 2024
Patched Release
2.9.0
Affected Versions
Versions before 2.9.0
Next Step
Update to 2.9.0 or newer if supported.
Open CVE-2024-1232 Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-3076
CVE-2022-3076: CM Download Manager <= 2.8.5 - Authenticated (Administrator+) Arbitrary File Upload

The CM Download Manager plugin for WordPress is vulnerable to arbitrary file uploads because it allows administrators to choose the php extension as an allowable file extension in versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with admin...

Published
Sep 05, 2022
Patched Release
2.8.6
Affected Versions
Versions up to 2.8.5
Next Step
Update to 2.8.6 or newer if supported.
Open CVE-2022-3076 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2020-24145
CVE-2020-24145: CM Download Manager <= 2.7.0 - Cross-Site Scripting

The CM Download Manager plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 2.7.0 via a crafted deletescreenshot action due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary we...

Published
Apr 13, 2021
Patched Release
2.8.0
Affected Versions
Versions before 2.8.0
Next Step
Update to 2.8.0 or newer if supported.
Open CVE-2020-24145 Report Open CVE Reference
Plugin High Patched: Yes CVE-2020-24146
CVE-2020-24146: CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service

Directory traversal in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action.

Published
Apr 13, 2021
Patched Release
2.8.0
Affected Versions
Versions before 2.8.0
Next Step
Update to 2.8.0 or newer if supported.
Open CVE-2020-24146 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2020-27344
CVE-2020-27344: CM Download Manager <= 2.7.0 - Authenticated Stored Cross-Site Scripting

The CM Download Manager plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the ‘filename’ parameter in versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping. This makes it possible for highly privileged at...

Published
Oct 22, 2020
Patched Release
2.8.0
Affected Versions
Versions before 2.8.0
Next Step
Update to 2.8.0 or newer if supported.
Open CVE-2020-27344 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2014-9129
CVE-2014-9129: CM Download Manager <= 2.0.6 - Cross-Site Request Forgery to Cross-Site Scripting

Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title par...

Published
Dec 01, 2014
Patched Release
2.0.7
Affected Versions
Versions up to 2.0.6
Next Step
Update to 2.0.7 or newer if supported.
Open CVE-2014-9129 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2014-8877
CVE-2014-8877: CM Download Manager <= 2.0.3 - Code Injection

The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP c...

Published
Nov 10, 2014
Patched Release
2.0.4
Affected Versions
Versions up to 2.0.3
Next Step
Update to 2.0.4 or newer if supported.
Open CVE-2014-8877 Report Open CVE Reference