cleantalk
Vulnerabilities and Security Researches

WP-DownloadManager, CVE-2026-2419

CVE, Research URL

CVE-2026-2419

Home page URL

Security reports for WP-DownloadManager

Application

WP-DownloadManager

Published on
Feb 18, 2026
Research Description
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.
Affected versions
max 1.69.1.
Status
vulnerable
Previous vulnerability researches
CRM and Lead Management by vcita (CVE-2025-5240) , Jul 23, 2025
CRM and Lead Management by vcita (CVE-2024-13702) , Mar 27, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2023-2405) , Jun 07, 2024
CRM and Lead Management by vcita (CVE-2023-2404) , Jun 07, 2024
New vulnerability
Membership Plugin – Restrict Content (CVE-2026-1321) , Apr 15, 2026
Membership Plugin – Restrict Content (CVE-2026-1304) , Apr 15, 2026
Document Embedder (CVE-2026-1389) , Apr 15, 2026
Easy Voice Mail (CVE-2026-1164) , Apr 15, 2026
Blocksy (CVE-2026-2583) , Apr 15, 2026