Description
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
Published: 2025-06-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The WP-DownloadManager plugin for WordPress, in all releases up to 1.68.10, allows administrators or higher‑privileged users to read any file on the server. The vulnerability arises because the plugin accepts a target directory for storing downloads without enforcing restrictions, enabling the selection of arbitrary system paths. An attacker who can authenticate as an administrator can therefore download and view sensitive files, such as configuration or system files, leading to confidentiality compromise.

Affected Systems

The affected product is WP-DownloadManager, supplied by gamerz, for WordPress. All versions up to and including 1.68.10 are vulnerable. Versions 1.68.11 and newer contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact when an authorized administrator exploits the flaw. The EPSS score of less than 1% reflects a very low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not a widely known or actively leveraged threat. The attack vector is inferred to be internal – an attacker must first gain administrator‑level access to the site; once authenticated, the missing directory restriction allows arbitrary file reads.

Generated by OpenCVE AI on April 21, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP-DownloadManager to version 1.68.11 or later to eliminate the directory restriction flaw.
  • If an upgrade is not immediately possible, disable or uninstall the WP-DownloadManager plugin to prevent exploitation while a patch is applied.
  • Ensure that the WordPress upload and temporary directories have appropriate file permissions so that administrators cannot arbitrarily specify critical system paths.

Generated by OpenCVE AI on April 21, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18084 The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

 epss

{'score': 0.00041}

Wed, 09 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wp-downloadmanager Project
Wp-downloadmanager Project wp-downloadmanager
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:wp-downloadmanager_project:wp-downloadmanager:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp-downloadmanager Project
Wp-downloadmanager Project wp-downloadmanager

Wed, 11 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
Title WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Read
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wp-downloadmanager Project Wp-downloadmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:16.878Z

Reserved: 2025-05-15T18:56:10.692Z

Link: CVE-2025-4798

cve-icon Vulnrichment

Updated: 2025-06-11T13:24:25.212Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-11T04:15:58.497

Modified: 2025-07-09T19:03:51.740

Link: CVE-2025-4798

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses