A team of researchers from Wordfence discovered a vulnerability, tracked as CVE-2021-34639, affecting the WordPress Download Manager plugin. Under certain circumstances, this flaw could allow attackers to execute arbitrary code.

In particular, due to the existence of the flaw, site users with author permissions and other users could use the "upload_files" function to upload files with the php4 extension. Other types of potentially dangerous files could also be uploaded to the vulnerable site.

This vulnerability was rated with a CVSS score of 7.5. The vulnerability affects versions of WordPress Download Manager 3.1.24 and below. According to the developers, they fixed the issue back in May. In addition, the developers fixed the flaw CVE-2021-34638 (CVSS score of 6.5) that could allow low privileged users to access the wp-config.php file.

Source: anti-malware.ru