Description
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.
Published: 2025-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Limited file overwrite leading to denial of service
Action: Update
AI Analysis

Impact

The Download Manager plugin for WordPress allows authenticated users with Author role or higher to exploit a directory traversal flaw via the 'wpdm_newfile' action. This flaw permits overwriting of select file types located in directories outside the intended plugin directory. The vulnerability could result in denial of service by corrupting or replacing critical files such as configuration or template files, though the scope is limited to specific file types and does not provide arbitrary code execution.

Affected Systems

The affected system is the Download Manager plugin by codename065, available as a free WordPress plugin. Versions up to and including 3.3.08 contain the vulnerability. The plugin is commonly installed on WordPress sites where it provides file‑management functionality.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, while an EPSS score of less than 1% signals a low probability of exploitation. The issue is not listed in the CISA KEV catalog, suggesting it is not a widely leveraged, known exploit. The attack vector is inferred to be an authenticated user with Author or higher privileges; the vulnerability requires knowledge of the internal file paths and acceptable file types. No public exploits or evidence of active compromise have been reported.

Generated by OpenCVE AI on April 20, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Download Manager plugin to the latest version, which removes the traversal flaw.
  • If updating is not immediately possible, limit Author-level accounts to basic read‑only roles or remove file‑upload capabilities to reduce the ability to target the flaw.
  • Disable or delete the plugin entirely if it is not required for site functionality.
  • As a temporary control, monitor the site’s file integrity and audit logs for unexpected file changes or attempted writes to critical directories.

Generated by OpenCVE AI on April 20, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6256 The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00536}

 epss

{'score': 0.01248}

Tue, 08 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared W3eden
W3eden download Manager
CPEs cpe:2.3:a:w3eden:download_manager:*:*:*:*:free:wordpress:*:*
Vendors & Products W3eden
W3eden download Manager

Thu, 13 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.
Title Download Manager <= 3.3.08 - Authenticated (Author+) Path Traversal to Limited File Overwrite
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

W3eden Download Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:44.296Z

Reserved: 2025-02-28T16:12:41.242Z

Link: CVE-2025-1785

cve-icon Vulnrichment

Updated: 2025-03-13T20:12:57.673Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-13T08:15:10.950

Modified: 2025-07-08T15:34:55.257

Link: CVE-2025-1785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses