Description
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-09-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads because file type validation is omitted in download‑add.php. Administrative access allows an attacker to upload any file, potentially including scripts, which could lead to remote code execution on the server. This flaw is classified as CWE‑434 and grants the ability to alter server‑side file contents.

Affected Systems

All installations of the WP‑DownloadManager plugin from vendor gamerz, specifically versions 1.68.11 and earlier, are affected. The vulnerability exists in the download‑add.php handling of upload requests.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2, an EPSS score below 1%, and is not listed in the CISA KEV catalog. Exploitation requires a user with Administrator‑level privileges; once logged in, the attacker can reach the vulnerable upload endpoint. Because the attack vector is internal and authenticated, the likelihood of exploitation is low but the impact is high, making the risk moderate to high for sites with exposed admin accounts.

Generated by OpenCVE AI on April 22, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑DownloadManager to the latest version (>=1.68.12) to enforce file type validation.
  • If upgrading is not immediately possible, restrict access to download‑add.php so that only authorized administrators can upload files, for example by setting web‑server permissions or using an .htaccess rule.
  • Add an additional server‑side file‑type check or deploy a WAF rule that rejects uploads with disallowed mime types or extensions before they reach the plugin.

Generated by OpenCVE AI on April 22, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31216 The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 05:45:00 +0000

Type Values Removed Values Added
Description The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WP-DownloadManager <= 1.68.11 - Authenticated (Admin+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:52.052Z

Reserved: 2025-09-19T19:48:07.090Z

Link: CVE-2025-10747

cve-icon Vulnrichment

Updated: 2025-09-26T19:48:16.439Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T06:15:35.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses