CVE-2021-34638

Name of the Vulnerable Software and Affected Versions: WordPress Download Manager versions 3.1.24 and prior versions

Description: The issue allows authenticated users with Contributor+ roles to obtain sensitive configuration file information. Additionally, Author+ users can perform XSS attacks by setting the Download template to a file containing configuration information or an uploaded JavaScript with an image extension.

Recommendations: For WordPress Download Manager versions 3.1.24 and prior, update to a version later than 3.1.24 to resolve the issue. As a temporary workaround, consider restricting access to the Download template feature for Contributor+ and Author+ users until a patch is available. Restrict the ability for users to upload files with executable content, such as JavaScript files with image extensions, to minimize the risk of XSS attacks.