cleantalk
Vulnerabilities and Security Researches

WP-DownloadManager, CVE-2025-10747

CVE, Research URL

CVE-2025-10747

Home page URL

Security reports for WP-DownloadManager

Application

WP-DownloadManager

Published on
Sep 26, 2025
Research Description
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
max 1.69.
Status
vulnerable
Previous vulnerability researches
Child Themes Helper (CVE-2025-25093) , Feb 05, 2025
New vulnerability
WP Popup Builder – Popup Forms and Marketing Lead Generation (CVE-2025-62902) , Nov 11, 2025
WP Tactical Popup (CVE-2025-58921) , Nov 11, 2025
LMB^Box Smileys (CVE-2025-12400) , Nov 11, 2025
Image Hover Effects for Elementor (CVE-2025-10896) , Nov 11, 2025
Admin Management Xtended (CVE-2025-62965) , Nov 11, 2025