A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment.
Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP 'create_function' function.
The script injects PHP system() function into the vulnerable target in order to execute specified shell command.
Update the WordPress CM Download Manager Plugin to the latest version.