CVE-2026-24956
Awaiting Analysis Awaiting Analysis - Queue
Blind SQL Injection in Shahjada Download Manager Addons

Publication date: 2026-02-20

Last updated on: 2026-02-23

Assigner: Patchstack

Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24956
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
patchstack download_manager_addons_for_elementor From 1.0.0 (inc) to 1.3.0 (inc)
patchstack download_manager_addons_for_elementor 2.0.0
shahjada download_manager_addons_for_elementor From 1.0.0 (inc) to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24956 is a high-priority SQL Injection vulnerability found in the WordPress Download Manager Addons for Elementor Plugin versions up to 1.3.0. This vulnerability allows unauthenticated attackers to perform Blind SQL Injection attacks, meaning they can manipulate or extract data from the plugin's database without needing any privileges."}, {'type': 'paragraph', 'content': 'The issue falls under the OWASP Top 10 category A3: Injection, which involves improper neutralization of special elements in SQL commands, enabling attackers to interfere with the queries executed by the application.'}] [1]

Impact Analysis

This vulnerability can have severe impacts as it allows attackers to directly interact with the plugin’s database without any authentication. Potential impacts include theft of sensitive data, unauthorized data manipulation, and compromise of the integrity and confidentiality of the database.

Because no privileges are required to exploit this flaw, it is highly dangerous and likely to be actively targeted by attackers, increasing the risk of data breaches and system compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability allows unauthenticated attackers to interact with the plugin's database via SQL Injection, which can be detected by monitoring for unusual or suspicious SQL queries targeting the Download Manager Addons for Elementor plugin."}, {'type': 'paragraph', 'content': 'Patchstack has issued mitigation rules to block exploitation attempts, which can be used to detect or prevent attacks.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but typical detection methods include inspecting web server logs for suspicious requests containing SQL injection patterns or using web application firewalls (WAF) with rules targeting this vulnerability.'}] [1]

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the Download Manager Addons for Elementor plugin to version 2.0.0 or later, which contains the patch that resolves the SQL Injection flaw.

Until the update can be applied, users should implement the mitigation rules issued by Patchstack to block exploitation attempts.

Additionally, enabling automatic vulnerability mitigation and auto-update features provided by Patchstack can help protect the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart