{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24956", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:29.518Z", "datePublished": "2026-02-20T15:47:08.982Z", "dateUpdated": "2026-04-28T16:14:51.877Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpdm-elementor", "product": "Download Manager Addons for Elementor", "vendor": "Shahjada", "versions": [{"changes": [{"at": "2.0.0", "status": "unaffected"}], "lessThanOrEqual": "1.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:56.946Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.<p>This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.877Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpdm-elementor/vulnerability/wordpress-download-manager-addons-for-elementor-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Download Manager Addons for Elementor plugin <= 1.3.0 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T19:03:44.580452Z", "id": "CVE-2026-24956", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:50:48.748Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24956", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T19:03:44.580452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:03:35.935Z"}}], "cna": {"title": "WordPress Download Manager Addons for Elementor plugin <= 1.3.0 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "Shahjada", "product": "Download Manager Addons for Elementor", "versions": [{"status": "affected", "changes": [{"at": "2.0.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.3.0"}], "packageName": "wpdm-elementor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:43:35.814Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpdm-elementor/vulnerability/wordpress-download-manager-addons-for-elementor-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.<p>This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:47:08.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24956", "state": "PUBLISHED", "dateUpdated": "2026-02-23T19:03:49.201Z", "dateReserved": "2026-01-28T09:50:29.518Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:47:08.982Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en Shahjada Download Manager Addons for Elementor wpdm-elementor permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Download Manager Addons for Elementor: desde n/a hasta &lt;= 1.3.0."}], "id": "CVE-2026-24956", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:39.817", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpdm-elementor/vulnerability/wordpress-download-manager-addons-for-elementor-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.0.0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Download Manager Addons for Elementor", "source": "cna", "vendor": "Shahjada"}, "product": "download_manager_addons_for_elementor", "vendor": "shahjada"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:10:17.125012+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.3.0, which contains the fix for the SQL injection flaw.", "If an upgrade is not immediately possible, disable or remove the plugin to eliminate the attack surface.", "Restrict database user privileges to the minimal permissions required for the WordPress application, which limits the impact of a potential injection."], "summary": {"action": "Patch Immediately", "impact": "Blind SQL injection in a WordPress plugin"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WordPress plugin Download Manager Addons for Elementor, version 1.3.0 and earlier, distributed by Shahjada. No specific patch level is listed for earlier releases.", "description_and_impact": "An SQL injection vulnerability in Shahjada\u2019s Download Manager Addons for Elementor allows malicious users to inject unsanitized input into database queries. The flaw permits blind SQL injection, meaning that an attacker could, through timing or error messages, infer the presence of tables, retrieve sensitive data or glean database structure. This could compromise confidentiality and integrity of the site\u2019s data. The described impact is inferred from the nature of blind injection and is not explicitly detailed in the CVE description.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity. The EPSS score is below 1\u202f%, suggesting a very low current exploitation probability, and the flaw is not listed in CISA\u2019s KEV catalog. The flaw can be exploited remotely through the plugin\u2019s HTTP interface; the exact attack vector is inferred from typical WordPress plugin weaknesses and is not detailed in the description."}}}}, "created": "2026-02-23T14:35:49.912050+00:00", "updated": "2026-04-16T06:15:26.915821+00:00", "vendors": ["shahjada", "shahjada$PRODUCT$download_manager_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}