Vulnerabilities and security researches forwp-downloadmanager wp-downloadmanager

Nov 11, 2025

CVE, Research URL: CVE-2025-10747
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Sep 26, 2025
Research Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 1.69.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-4799
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Jun 11, 2025
Research Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
Affected versions: max 1.68.11.
Status: vulnerable

CVE, Research URL: CVE-2025-4798
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Jun 11, 2025
Research Description: The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
Affected versions: max 1.68.11.
Status: vulnerable

Oct 01, 2024

CVE, Research URL: CVE-2024-47341
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Oct 06, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lester ‘GaMerZ’ Chan WP-DownloadManager allows Reflected XSS.This issue affects WP-DownloadManager: from n/a through 1.68.8.
Affected versions: max 1.68.9.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2021-44760
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Mar 18, 2022
Research Description: Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.
Affected versions: max 1.68.7.
Status: vulnerable

CVE, Research URL: CVE-2013-2697
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Apr 19, 2013
Research Description: Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
Affected versions: max 1.61.
Status: vulnerable

CVE, Research URL: CVE-2022-25606
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Mar 26, 2022
Research Description: Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.
Affected versions: max 1.68.7.
Status: vulnerable

CVE, Research URL: CVE-2020-24141
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Jul 07, 2021
Research Description: Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services
Affected versions: max 1.68.6.
Status: vulnerable

CVE, Research URL: CVE-2022-25605
Home page URL: Security reports for WP-DownloadManager
Application: WP-DownloadManager
Date: Mar 18, 2022
Research Description: Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.
Affected versions: max 1.68.7.
Status: vulnerable