Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.
Published: 2026-02-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL injection in a WordPress plugin
Action: Patch Immediately
AI Analysis

Impact

An SQL injection vulnerability in Shahjada’s Download Manager Addons for Elementor allows malicious users to inject unsanitized input into database queries. The flaw permits blind SQL injection, meaning that an attacker could, through timing or error messages, infer the presence of tables, retrieve sensitive data or glean database structure. This could compromise confidentiality and integrity of the site’s data. The described impact is inferred from the nature of blind injection and is not explicitly detailed in the CVE description.

Affected Systems

The vulnerability exists in the WordPress plugin Download Manager Addons for Elementor, version 1.3.0 and earlier, distributed by Shahjada. No specific patch level is listed for earlier releases.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. The EPSS score is below 1 %, suggesting a very low current exploitation probability, and the flaw is not listed in CISA’s KEV catalog. The flaw can be exploited remotely through the plugin’s HTTP interface; the exact attack vector is inferred from typical WordPress plugin weaknesses and is not detailed in the description.

Generated by OpenCVE AI on April 16, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.3.0, which contains the fix for the SQL injection flaw.
  • If an upgrade is not immediately possible, disable or remove the plugin to eliminate the attack surface.
  • Restrict database user privileges to the minimal permissions required for the WordPress application, which limits the impact of a potential injection.

Generated by OpenCVE AI on April 16, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Shahjada
Shahjada download Manager Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Shahjada
Shahjada download Manager Addons For Elementor
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.
Title WordPress Download Manager Addons for Elementor plugin <= 1.3.0 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Shahjada Download Manager Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:51.877Z

Reserved: 2026-01-28T09:50:29.518Z

Link: CVE-2026-24956

cve-icon Vulnrichment

Updated: 2026-02-23T19:03:35.935Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:39.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses