cleantalk
Vulnerabilities and Security Researches

WP-DownloadManager, CVE-2026-2426

CVE, Research URL

CVE-2026-2426

Home page URL

Security reports for WP-DownloadManager

Application

WP-DownloadManager

Published on
Feb 18, 2026
Research Description
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are deleted.
Affected versions
max 1.69.1.
Status
vulnerable
Previous vulnerability researches
WP-DownloadManager (CVE-2021-44760) , Jun 06, 2024
WP-DownloadManager (CVE-2013-2697) , Jun 06, 2024
WP-DownloadManager (CVE-2022-25606) , Jun 06, 2024
WP-DownloadManager (CVE-2020-24141) , Jun 06, 2024
WP-DownloadManager (CVE-2022-25605) , Jun 06, 2024
New vulnerability
EmailKit -WooCommerce Email Customizer (CVE-2026-1925) , Apr 15, 2026
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2026-1651) , Apr 15, 2026
Contact Form builder with drag & drop for WordPress – Kali Forms (CVE-2026-1860) , Apr 15, 2026
Related Posts by Taxonomy (CVE-2026-0916) , Apr 15, 2026
Ivory Search – WordPress Search Plugin (CVE-2026-1053) , Apr 15, 2026