CVE-2024-11740 is a code injection vulnerability classified under CWE-94 affecting the codename065 Download Manager plugin for WordPress. The flaw exists because the plugin improperly controls the generation and execution of code via WordPress shortcodes. Specifically, it allows unauthenticated attackers to invoke the do_shortcode function with unvalidated input, enabling arbitrary shortcode execution. This can lead to execution of malicious code within the context of the WordPress site, potentially allowing attackers to manipulate site content, execute arbitrary PHP code indirectly, or perform other malicious actions depending on available shortcodes. The vulnerability affects all versions up to and including 3.3.03. The CVSS v3.1 base score is 7.3, reflecting network exploitability without authentication or user interaction, and impacts confidentiality, integrity, and availability at a low level each. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is critical for sites relying on this plugin, especially those with public-facing interfaces where attackers can submit shortcode inputs. The root cause is insufficient validation and sanitization of user-supplied data before executing shortcodes, a common vector for code injection in WordPress plugins.

The impact of CVE-2024-11740 is significant for organizations using the codename065 Download Manager plugin on WordPress. Successful exploitation can allow attackers to execute arbitrary shortcodes, potentially leading to unauthorized content manipulation, data leakage, or indirect code execution. This compromises the confidentiality, integrity, and availability of the affected website. Attackers could deface websites, inject malicious scripts for further exploitation (e.g., malware distribution or phishing), or disrupt service availability. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of automated attacks. Organizations relying on this plugin for critical downloads or e-commerce functionality face heightened risk of reputational damage, data breaches, and operational disruption. The lack of known exploits in the wild suggests limited current exploitation, but the ease of exploitation and high impact make it a prime target for attackers once exploit code becomes available.

To mitigate CVE-2024-11740, organizations should immediately restrict or disable the use of shortcodes in user-submitted content within the Download Manager plugin until a patch is released. Implement input validation and sanitization to ensure that only authorized shortcodes can be executed. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious shortcode patterns or unusual requests targeting the plugin endpoints. Monitor logs for unusual shortcode execution attempts or unexpected content changes. Limit plugin usage to trusted users and restrict upload or shortcode submission capabilities to authenticated and authorized personnel. Regularly check for updates from the vendor and apply patches promptly once available. Consider isolating the WordPress environment and using security plugins that can detect and prevent code injection attacks. Additionally, conduct security audits and penetration testing focused on shortcode injection vectors to identify and remediate similar issues proactively.