Advisory for: WordPress Download Manager
Security Risk: Very High
Exploitation level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Code Execution / Remote File Inclusion
Patched Version: <2.7.5\\http://www.sitesassure.com/images/wordpressIcon2.png
If you’re using the popular WP Download Manager plugin (around 850,000 downloads), you should update right away. During a routine audit for our Website Firewall (WAF), we found a dangerous remote code execution (RCE) and remote file inclusion (RFI) vulnerability. A malicious user can exploit this vulnerability to take control of your website by uploading backdoors and modifying user passwords.The vulnerability was discovered and disclosed last week and immediately patched by the WP Download Manager. They have released a patch in version 2.7.5 to fix this issue.
http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html
Sitesassure - MORE THE REASON