Urgent: SQL Injection (CVE-2026-24956) in Download Manager Addons for Elementor — What WordPress Site Owners Must Do Now

By: Hong Kong Security Expert — 2026-02-13

A critical unauthenticated SQL Injection vulnerability affecting the Download Manager Addons for Elementor plugin (versions ≤ 1.3.0) has been publicly disclosed (CVE-2026-24956). The vulnerability carries a high severity (CVSS 9.3) and can be used by unauthenticated attackers to execute arbitrary SQL against your WordPress database.

This advisory explains the risk, realistic attack scenarios, how to detect whether your site was targeted, immediate mitigations you can apply, long-term hardening recommendations, and practical operational steps for recovery. This is written from the perspective of a Hong Kong security practitioner focused on concise, actionable guidance for site owners.

快速摘要

• Affected plugin: Download Manager Addons for Elementor (plugin slug: wpdm-elementor)
• Vulnerable versions: ≤ 1.3.0
• Fixed in: 2.0.0
• CVE: CVE-2026-24956
• Vulnerability type: SQL Injection (A3: Injection)
• Required privileges: None — exploitable by unauthenticated attackers
• CVSS score: 9.3 (High)
• Disclosure date: February 11, 2026 (reported earlier to the vendor)
• Risk: Attackers may read or manipulate database contents, exfiltrate sensitive data, escalate privileges, or create persistent backdoors.

為什麼這是嚴重的

An unauthenticated SQL Injection in a WordPress plugin is among the most dangerous vulnerability classes for these reasons:

• 未經身份驗證： No login required to attempt exploitation.
• Direct database access: SQL Injection allows arbitrary database queries when untrusted input is concatenated into SQL. This can expose wp_users, wp_usermeta, wp_options, and other tables.
• Post-exploit impact: Attackers commonly deploy backdoors, create administrative users, modify content, or install scheduled jobs. Recovery can require full incident response.
• 廣泛影響： Elementor and its add-ons are widely used; any unpatched site running the vulnerable addon may be at risk.

Treat any site with the vulnerable plugin as potentially compromised until you verify otherwise.

How SQL Injection typically appears in WordPress plugins (non-technical)

Plugins commonly use the WordPress database API ($wpdb). SQL Injection happens when untrusted input—such as values from GET/POST—are concatenated into queries without proper binding, sanitisation, or the use of prepared statements.

Typical developer mistakes that lead to SQLi:

• Concatenating $_GET/$_POST directly into a query string instead of using prepared statements.
• Using string escaping functions incorrectly rather than parameterized queries.
• Not validating parameter lengths, characters, or types for public endpoints.

現實攻擊場景

1. 數據外洩： Reading sensitive rows (wp_users, wp_usermeta, wp_options) to harvest email addresses, password hashes, API keys or other PII.
2. Privilege escalation and account takeover: Modify roles, create new admin users, or change options that allow remote code execution.
3. Persistence and backdoors: Inject malicious posts, add PHP files to uploads, create cron tasks that call remote scripts, or modify theme/plugin settings to enable uploads.
4. Pivot to broader compromise: Use exfiltrated credentials to access third-party services or install web shells to run OS commands.

Immediate mitigation — what to do now (step-by-step)

If you run a WordPress site using the Download Manager Addons for Elementor plugin, act immediately:

1. Check if the plugin is installed and which version:
   • Dashboard > Plugins: check version.
   • If dashboard unavailable, inspect wp-content/plugins/wpdm-elementor plugin header file on the server for the version.
2. Update to the fixed version (2.0.0) as soon as possible:
   • Updating is the definitive remediation. Test on staging if you have customisations.
   • If automatic update is feasible and you have reliable backups, update promptly.
3. 如果您無法立即更新，請採取臨時緩解措施：
   • Disable the plugin (rename its folder or deactivate it) to stop the vulnerable code from executing.
   • Put the site into maintenance mode to reduce probing if disabling the plugin disrupts workflows.
   • Block access to known plugin endpoints via your webserver (nginx/apache) or hosting control panel.
   • Apply a managed Web Application Firewall (WAF) or virtual patching rules from a trusted security provider to block SQLi patterns targeting the plugin endpoints.
   • Restrict access by IP to admin and plugin endpoints where feasible (allowlist trusted IPs temporarily).
   • If you have CDN or host-level request filtering, enable rules that block SQLi payloads or suspicious parameter content.
4. 旋轉憑證和密碼：
   • Consider changing WordPress salts in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, etc.) if session exposure is suspected.
   • Rotate API keys or tokens stored on the site if you suspect exfiltration.
   • Force password resets for administrative accounts as a precaution.
5. Backup before making changes: Ensure a full backup (files + DB) is taken and stored offline before major remediation steps.
6. Preserve logs and evidence: Collect webserver access/error logs, database logs, and any application logs covering the relevant timeframe.
7. Conduct an integrity scan and manual review:
   • Scan for newly modified files and unexpected PHP files in uploads or theme/plugin directories.
   • Look for suspicious scheduled tasks and unexpected admin users.
   • Inspect wp_options and wp_posts for injected content or unknown autoloaded options.
8. If you detect compromise, follow incident response steps (isolate, preserve evidence, restore from clean backup, rotate secrets, engage professional forensic help if needed).

How managed WAFs and security services can help immediately

If you use a managed WAF or security service, ask them to deploy targeted, conservative rules to block SQLi attempts against known plugin endpoints. Typical protections include:

• Rules that match requests to the plugin paths and inspect parameters for SQL control characters combined with SQL keywords.
• Virtual patching: rules that neutralise exploit attempts without modifying site code.
• Rate-limiting and bot/challenge responses (CAPTCHA) for suspicious automated traffic.
• Logging and alerting of blocked requests with full request context for incident analysis.

Recommended WAF rule examples (conceptual, defensive only)

WAF rules should be narrowly scoped to avoid false positives. Conceptual defensive filters include:

• Block requests to plugin endpoints that contain SQL comment tokens (--), stacked queries (;) or sequences such as 聯合選擇 when present in parameters.
• Block or challenge requests with long URL-encoded payloads containing SQL keywords (%27 OR %27, UNION, SELECT, INFORMATION_SCHEMA).
• Rate-limit requests to plugin endpoints from single IPs to deter automated scanning/exploitation.
• Deny requests with suspicious user agents or those matching known scanner signatures.
• Allowlist legitimate POST endpoints where possible, blocking unknown or unexpected inputs.

Start with logging and monitoring before enforcing blocks to tune rules and reduce false positives.

How to check whether your site was targeted or exploited

Some checks require server access (SSH / DB console). Preserve backups and logs before altering evidence.

1. Review webserver access logs:
   • Search for requests to plugin endpoints or paths containing wpdm or the plugin slug with SQL keywords or suspicious encodings.
   • Note repeating requests from single IPs and unusual user agents.
2. Check WAF logs (if present): Look for blocked SQLi attempts and rule hits. Export logs for analysis.
3. Inspect recent file changes: On the server, check for modified theme/plugin files:

   find . -type f -mtime -30 -print

   Look especially for PHP files under wp-content/uploads.

4. Review user accounts and recent registrations: Look for recently created admin accounts:

   SELECT ID, user_login, user_email, user_registered FROM wp_users WHERE user_registered >= '2026-01-01' ORDER BY user_registered DESC LIMIT 50;

   SELECT user_id, meta_key, meta_value FROM wp_usermeta WHERE meta_key LIKE '%capabilities%';

5. Inspect wp_posts and wp_options: Search for injected scripts, unfamiliar autoloaded options, or unexpected plugin settings.
6. 檢查排定的任務 (wp_cron): Use WP-CLI or dashboard tools to list cron events; unknown remote-calling tasks are suspicious.
7. Database and general logs: If you have MySQL general or slow logs, review for unusual SELECTs or queries with SQL keywords.
8. Compare backups: Compare recent backups with a known-good baseline to identify changes.

If you find unauthorised admin users, web shells, unknown scheduled tasks, or unexpected file changes, treat the site as compromised and follow the incident response checklist below.

事件響應和恢復檢查清單

1. Isolate the site (block external traffic) to stop further damage.
2. Preserve logs and create a full image of the site for forensics.
3. Take the site offline or enable maintenance mode if needed.
4. Restore from a clean backup taken before the compromise.
5. Rotate all secrets and API keys stored on the site.
6. Reset administrative passwords and require password resets for elevated roles.
7. Remove malicious files, web shells, and unauthorised plugins/themes.
8. Apply updates to core, themes and plugins, including updating the vulnerable plugin to 2.0.0 or later.
9. Rescan the restored environment with a malware scanner and review WAF logs.
10. Monitor logs and alerts carefully for persistence or repeat attempts.
11. If data was exfiltrated, follow legal and regulatory disclosure requirements applicable to your jurisdiction.

Developer guidance — how the plugin author should fix this class of issue

Plugin developers should apply robust input validation and correct usage of WordPress DB APIs:

• 使用 $wpdb->prepare() for SQL queries with untrusted input.
• Prefer WordPress abstractions (WP_Query, WP_User_Query) that parameterise values.
• Sanitise and validate input with sanitize_text_field(), intval() 來清理和驗證輸入, absint(), esc_url_raw() and type-specific validators.
• Enforce length limits and character whitelists where applicable.
• Avoid dynamic table or column names derived from user input; if unavoidable, validate against a strict whitelist.
• Apply least privilege and avoid exposing endpoints that execute arbitrary queries.
• Include unit and security tests that attempt common injection payloads to prevent regressions.
• Communicate clearly to users which versions are vulnerable and what the fixed release changes.

Long-term hardening for WordPress site owners

• 保持 WordPress 核心、主題和插件的最新版本。.
• Limit plugin count; remove unused plugins and themes.
• Use least privilege for users and database accounts.
• Disable file editing in wp-config.php:

  define('DISALLOW_FILE_EDIT', true);

• Harden file permissions and ensure uploaded files cannot be executed.
• Use a managed WAF or security provider that can apply virtual patches and block exploit traffic quickly.
• Enable two-factor authentication (2FA) for administrators.
• Enforce strong password policies; use password managers for administrative access.
• Schedule regular backups (files + DB) and practice restores.
• Monitor logs centrally and set alerts for unusual events (traffic spikes, many login failures, unusual DB queries).
• Conduct periodic security audits and vulnerability scans.

How to safely update the plugin in production

1. Review the plugin changelog and test the update on a staging site where possible.
2. Backup files and database immediately before updating.
3. If possible, reduce exposure during the update (maintenance mode, temporarily restrict access).
4. Update to 2.0.0 or later via Dashboard, WP-CLI, or by uploading the fixed package.
5. Validate functionality after update: test forms, downloads and pages that use the plugin, and monitor error logs.
6. Remove temporary firewall rules only after confirming the update and functionality.

Practical detection queries you can run (read-only sampling)

Run these queries in a secure DB console. Adjust table prefixes if your site uses a custom prefix.

-- Recent user registrations
SELECT ID, user_login, user_email, user_registered
FROM wp_users
WHERE user_registered >= '2026-01-01'
ORDER BY user_registered DESC
LIMIT 100;

-- Users with administrator capabilities
SELECT u.ID, u.user_login, um.meta_value
FROM wp_users u
JOIN wp_usermeta um ON u.ID = um.user_id
WHERE um.meta_key = 'wp_capabilities' AND um.meta_value LIKE '%administrator%';

-- Suspicious autoloaded options
SELECT option_name, option_value
FROM wp_options
WHERE autoload = 'yes'
  AND option_name NOT IN ('siteurl','home','blogname','blogdescription')
ORDER BY option_name;

On the server, to find recently modified PHP files:

find wp-content -type f -name '*.php' -mtime -30 -print

Example: What a managed firewall rule might block (conceptual)

A well-tuned managed WAF rule would:

• Match requests to plugin paths or Ajax actions related to the plugin.
• Inspect parameters for SQL control sequences combined with SQL keywords.
• Block or challenge automated requests that exceed rate thresholds.
• Log request context and origin IP for investigation.

建議的立即檢查清單（摘要）

• Confirm whether the vulnerable plugin (≤ 1.3.0) is installed on your site(s).
• Update to 2.0.0 immediately after backup and testing.
• If you cannot update, deactivate the plugin or apply virtual patching via a managed WAF.
• Enable rate-limits and block suspicious IPs; restrict admin access by IP if feasible.
• Collect logs and scan for indicators of compromise.
• Rotate keys, change salts, and reset admin passwords if compromise suspected.
• Restore from a known-good backup if you identify a breach.
• Engage experienced incident responders if you confirm a compromise.

來自香港安全專家的最後想法

Unauthenticated SQL Injection is a high-priority emergency. Verify whether your site uses the vulnerable addon, and update or mitigate immediately. Even absent clear evidence of exploitation, apply conservative virtual patches, strengthen logging, and prepare for incident response.

If you run a hosting environment or manage multiple sites, treat this as a fleet priority: inventory installations, apply bulk mitigations (disable plugin where feasible, apply WAF rules), and coordinate updates and integrity checks across all affected sites.

Stay vigilant, keep backups current, and apply security patches promptly. If you lack the internal expertise to investigate potential compromise, engage professional incident responders who can preserve evidence, perform forensics, and guide safe recovery.