CVE-2021-34639— WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-34639
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authenticated File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. "payload.php.png" which is executable in some configurations. This issue affects: WordPress Download Manager version 3.1.24 and prior versions.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
依赖于外部提供文件的文件名或扩展名
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress 插件代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress是Wordpress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress 插件是WordPress开源的一个应用插件。 WordPress 下载管理器插件3.1.24之前版本存在代码问题漏洞,该漏洞源于插件允许认证用户上传双扩展名文件,例如:"payload.php.png"在某些配置下是可执行的。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| W3 Eden, Inc. | WordPress Download Manager | 3.1.24 ~ 3.1.24 | - |
II. Public POCs for CVE-2021-34639
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-34639
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: WordPress Download Manager
- CVE-2021-24969
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Sc - CVE-2021-24773
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Si - CVE-2021-34638
WordPress Download Manager <= 3.1.24 Authenticated Directory - CVE-2017-2216
WordPress Download Manager 跨站脚本漏洞 - CVE-2017-2217
WordPress Download Manager 安全漏洞
Same vendor: W3 Eden, Inc.
- CVE-2024-29924
WordPress Premium Packages plugin <= 5.8.2 - Cross Site Scri - CVE-2024-29114
WordPress Download Manager plugin <= 3.2.84 - Cross Site Scr - CVE-2022-45836
WordPress Download Manager Plugin <= 3.2.59 is vulnerable to - CVE-2022-36288
WordPress Download Manager plugin <= 3.2.48 - Multiple Cross - CVE-2022-34658
WordPress Download Manager plugin <= 3.2.48 - Multiple Authe
Same weakness: CWE-646
- CVE-2026-20172
Cisco Enterprise Chat and Email Lite Agent File Upload Vulne - CVE-2025-30662
Zoom Workplace VDI Plugin macOS Universal Installer - Symlin - CVE-2025-41720
Sauter: Arbitrary File Upload - CVE-2025-58449
Maho Vulnerable to Authenticated Remote Code Execution via F - CVE-2025-1889
picklescan - Security scanning bypass via non-standard file
V. Comments for CVE-2021-34639
No comments yet