Description
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
Published: 2025-11-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Content
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the Download Manager WordPress plugin is caused by a hard‑coded cron key used in deleteExpired() and clearTempDataCPCron(). An attacker can call these functions without authentication, which results in deletion of expired posts and clearing of cached data, potentially causing loss of posts and site performance issues.

Affected Systems

Codename065’s Download Manager plugin for WordPress, version 3.3.30 and older, is affected. All installations of the plugin up to that release are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS shows less than 1% exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a request containing the hard‑coded key, which is likely embedded in the code, to trigger the cron jobs. Without user authentication, the attack can be performed by anyone who can reach the target site. Given the low EPSS, widespread exploitation is unlikely, but the impact on content loss warrants patching.

Generated by OpenCVE AI on April 22, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Manager plugin to the latest version, which removes the hard‑coded cron key or replaces it with a secure, unique key.
  • If an immediate upgrade is not possible, disable or remove the deleteExpired() and clearTempDataCPCron() cron functions, or block the URL paths that execute them.
  • Apply a web application firewall rule or rewrite rule to block requests containing the old hard‑coded key, ensuring that only authenticated users can trigger similar cron operations.
  • Verify that any scheduled tasks on the site that rely on these functions are reconfigured to use web‑hooks or secure cron mechanisms.

Generated by OpenCVE AI on April 22, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Codename065
Codename065 download Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Codename065
Codename065 download Manager Plugin
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
Title Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Codename065 Download Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:29.806Z

Reserved: 2025-10-24T15:57:21.778Z

Link: CVE-2025-12177

cve-icon Vulnrichment

Updated: 2025-11-10T20:03:20.250Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:45.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses