CVE-2024-7501

Name of the Vulnerable Software and Affected Versions Download Plugins and Themes in ZIP from Dashboard plugin for WordPress versions prior to 1.8.8

Description The issue is due to missing or incorrect nonce validation on the download theme() function, making it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6, it was possible to download the entire site's files.

Recommendations For versions up to and including 1.8.7, update to version 1.8.8 or later to resolve the issue. For versions prior to 1.8.6, update to version 1.8.8 or later to prevent the download of the entire site's files. As a temporary workaround, consider restricting access to the download theme() function until a patch is available.