CVE-2021-34639

Name of the Vulnerable Software and Affected Versions: WordPress Download Manager versions 3.1.24 and prior versions

Description: The issue allows authenticated users with Author+ permissions to upload files with double extensions, such as "payload.php.png", which can be executable in certain configurations. This poses a significant risk to web sites. Researchers have identified that the patch for this issue may not be effective, and the vulnerability can still be exploited using double extensions.

Recommendations: For WordPress Download Manager versions 3.1.24 and prior, consider disabling file upload functionality for authenticated users until a fully effective patch is available. Restrict access to the file upload feature to minimize the risk of exploitation. Avoid using double extensions in file uploads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.