CVE-2026-24956
Blind SQL Injection in Shahjada Download Manager Addons
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | download_manager_addons_for_elementor | From 1.0.0 (inc) to 1.3.0 (inc) |
| patchstack | download_manager_addons_for_elementor | 2.0.0 |
| shahjada | download_manager_addons_for_elementor | From 1.0.0 (inc) to 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24956 is a high-priority SQL Injection vulnerability found in the WordPress Download Manager Addons for Elementor Plugin versions up to 1.3.0. This vulnerability allows unauthenticated attackers to perform Blind SQL Injection attacks, meaning they can manipulate or extract data from the plugin's database without needing any privileges."}, {'type': 'paragraph', 'content': 'The issue falls under the OWASP Top 10 category A3: Injection, which involves improper neutralization of special elements in SQL commands, enabling attackers to interfere with the queries executed by the application.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to directly interact with the pluginβs database without any authentication. Potential impacts include theft of sensitive data, unauthorized data manipulation, and compromise of the integrity and confidentiality of the database.
Because no privileges are required to exploit this flaw, it is highly dangerous and likely to be actively targeted by attackers, increasing the risk of data breaches and system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability allows unauthenticated attackers to interact with the plugin's database via SQL Injection, which can be detected by monitoring for unusual or suspicious SQL queries targeting the Download Manager Addons for Elementor plugin."}, {'type': 'paragraph', 'content': 'Patchstack has issued mitigation rules to block exploitation attempts, which can be used to detect or prevent attacks.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but typical detection methods include inspecting web server logs for suspicious requests containing SQL injection patterns or using web application firewalls (WAF) with rules targeting this vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to update the Download Manager Addons for Elementor plugin to version 2.0.0 or later, which contains the patch that resolves the SQL Injection flaw.
Until the update can be applied, users should implement the mitigation rules issued by Patchstack to block exploitation attempts.
Additionally, enabling automatic vulnerability mitigation and auto-update features provided by Patchstack can help protect the system.