Arbitrary PHP Code Execution in CreativeMinds CM Downloads Manager Plugin

Arbitrary PHP Code Execution in CreativeMinds CM Downloads Manager Plugin

CVE-2014-8877 · HIGH Severity

AV:N/AC:L/AU:N/C:C/I:C/A:C

The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.

Learn more about our Wordpress Pen Testing.