CVE-2024-56217: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in W3 Eden, Inc. Download Manager plugin for WordPress, affecting versions up to and including 3.3.03. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on December 19, 2024. The issue has been assigned CVE-2024-56217 and affects the plugin's access control mechanisms (WPScan, Patchstack).

The vulnerability stems from a missing capability check on a function within the Download Manager plugin. It has been classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control. The vulnerability received a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (Patchstack).

The vulnerability allows authenticated attackers with Contributor-level access and above to perform unauthorized actions within the WordPress installation. The security issue has been assessed as having a low severity impact, though it represents a broken access control issue that could potentially lead to unprivileged users executing higher privileged actions (WPScan).

The vulnerability has been fixed in version 3.3.04 of the Download Manager plugin. Users are advised to update to version 3.3.04 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).