Written by Admin on 2025-05-06

Wordpress Download Manager 2.6.8 Shell Upload Vulnerability

The popular WordPress plugin, Download Manager, has been found to have a vulnerability in version 2.6.8. The flaw allows an attacker to upload a shell script and gain control of the website.

Background

The Download Manager plugin is a popular tool used by website owners to manage and track file downloads. It has over 100,000 active installations and has been around since 2010.

The vulnerability was first discovered by the WPScan research team. They found that the upload function in the plugin did not properly validate the file type, allowing an attacker to upload a shell script disguised as a file.

Impact

If a site running version 2.6.8 of the Download Manager plugin is compromised, an attacker can run any code they want on the site. This could include stealing sensitive information such as user credentials or installing malware to infect visitors.

Mitigation

The easiest way to protect your site is to update the plugin to version 2.9.57 or later, as this issue has been fixed in newer versions. If updating is not possible, a temporary fix can be applied by disabling the upload feature of the plugin.

It is also recommended to regularly update all plugins and themes on your WordPress site, and to use a web application firewall to block attacks.

Conclusion

The vulnerability in Download Manager is a reminder of the importance of keeping WordPress sites up to date and implementing strong security measures. By staying informed and taking action to protect our websites, we can reduce the risk of being targeted by cybercriminals.