← back to popular plugins
wordfence / plugin · download-manager

Download Manager

download-manager
total installs
100,000
total vulns
17
critical
0
high
2
medium
15
low
0
latest vuln
patched
17
unpatched
0
avg time to patch
vulnerabilities (17)
Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
medium ✓ patched
cve id CVE-2026-4057 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Apr 9, 2026
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.
Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
medium ✓ patched
cve id CVE-2026-5357 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 8, 2026
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter
medium ✓ patched
cve id CVE-2026-2571 ↗
cvss score 4.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Mar 18, 2026
The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates.
Download Manager <= 3.3.52 - Missing Authorization
medium ✓ patched
cve id CVE-2026-39676 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Feb 19, 2026
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.3.52. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter
medium ✓ patched
cve id CVE-2026-1666 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 17, 2026
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Download Manager <= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-39615 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 10, 2026
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword
high ✓ patched
cve id CVE-2025-15364 ↗
cvss score 7.3
cwe CWE-353: Missing Support for Integrity Check
published Jan 5, 2026
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure
medium ✓ patched
cve id CVE-2025-13498 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Dec 17, 2025
The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files.
Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
medium ✓ patched
cve id CVE-2025-12177 ↗
cvss score 5.3
cwe CWE-321: Use of Hard-coded Cryptographic Key
published Nov 7, 2025
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
Download Manager <= 3.3.32 - Authenticated (Subscriber+) Information Exposure
medium ✓ patched
cve id CVE-2025-63070 ↗
cvss score 4.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Sep 30, 2025
The Download Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
Download Manager <= 3.3.25 - Unauthenticated Sensitive Information Exposure
medium ✓ patched
cve id CVE-2025-60092 ↗
cvss score 5.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Sep 26, 2025
The Download Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.25. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
Download Manager <= 3.3.24 - Cross-Site Request Forgery
medium ✓ patched
cve id CVE-2025-60093 ↗
cvss score 4.3
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Sep 26, 2025
The Download Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.24. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Download Manager <= 3.3.23 - Reflected Cross-Site Scripting via `user_ids` Parameter
medium ✓ patched
cve id CVE-2025-10146 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Sep 18, 2025
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode
medium ✓ patched
cve id CVE-2025-4367 ↗
cvss score 6.4
cwe CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
published Jun 18, 2025
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion
high ✓ patched
cve id CVE-2025-3404 ↗
cvss score 8.8
cwe CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
published Apr 18, 2025
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
medium ✓ patched
cve id CVE-2025-3056 ↗
cvss score 5.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 17, 2025
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Download Manager <= 3.3.08 - Authenticated (Author+) Path Traversal to Limited File Overwrite
medium ✓ patched
cve id CVE-2025-1785 ↗
cvss score 5.4
cwe CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
published Mar 12, 2025
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.