CVE-2024-13618

The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
WPScanCNA
---
---
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
osteopathicdownloadable_by_american_osteopathic_association
𝑥
≤ 0.1.0
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/d6a78233-3f23-4da4-9bc0-1439cde20a30/