Description
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-04-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Download Manager plugin permits authenticated users with Author-level or higher privileges to remove any file from the server due to inadequate file path validation in the savePackage routine. An attacker can target critical files such as wp-config.php, enabling remote code execution or complete site compromise. The flaw is a classic Path Traversal issue, classified as CWE-22, and grants destructive capabilities that surpass typical author functions.

Affected Systems

WordPress sites running the codename065 Download Manager plugin version 3.3.12 or earlier are affected. This includes the Up to 3.3.12 releases distributed through the official repository and any custom installations that have not been updated to a newer, corrected version.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity, while an EPSS score of <1% indicates that exploitation is unlikely but possible. Based on the description, it is inferred that threat actors must first acquire authenticated access at the author level, typically by compromising or impersonating a legitimate user, before deleting files. The flaw is not currently listed in the CISA KEV catalog, but the potential for remote code execution makes it highly critical for organizations that rely on this plugin.

Generated by OpenCVE AI on June 18, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Manager plugin to the latest released version (greater than 3.3.12) where file path validation has been corrected.
  • Revoke or reduce Author-level access for authenticated users who do not require file deletion capabilities; restrict deletion privileges to administrators only.
  • Implement server‑side file path checks or configure web‑server restrictions (e.g., .htaccess rules or PHP settings) to disallow deletion of critical WordPress core files such as wp-config.php.

Generated by OpenCVE AI on June 18, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15051 The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Mon, 21 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:32.877Z

Reserved: 2025-04-07T10:27:00.760Z

Link: CVE-2025-3404

cve-icon Vulnrichment

Updated: 2025-04-21T14:11:30.241Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T08:15:13.780

Modified: 2026-06-17T09:19:53.773

Link: CVE-2025-3404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')