Description
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
Published: 2025-06-11
Score: 7.2 High
EPSS: 7.3% Low
KEV: No
Impact: Arbitrary File Deletion with potential remote code execution
Action: Patch Immediately
AI Analysis

Impact

The WP‑DownloadManager plugin for WordPress allows authenticated administrators to delete any file because it does not limit the target directory. An attacker who logs in with administrator or higher privileges can point the deletion action to critical files such as wp‑config.php, thereby creating a vector for remote code execution if the deleted file is later replaced or the system is otherwise compromised. The vulnerability also relates to CVE‑2025‑4798, which can be used together to delete any file within the WordPress root directory.

Affected Systems

The flaw exists in all releases of WP‑DownloadManager up to and including version 1.68.10, a plugin maintained by gamerz for WordPress sites that rely on the WP‑DownloadManager project. All WordPress installations that have this plugin installed and have enabled administrator accounts are affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high risk level, while the EPSS score of 7 % suggests a non‑trivial likelihood of exploitation within the near future. The vulnerability is not yet catalogued in CISA’s KEV list, so it is considered low to moderate exposure according to the KEV database. The exploitation scenario is straightforward: an attacker must have administrator access and simply choose a file path to delete. Because the deletion is not restricted to the plugin’s managed directories, any file under the web server’s root can be removed, leading to potential privilege escalation or arbitrary code execution.

Generated by OpenCVE AI on April 22, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑DownloadManager to the latest version (≥ 1.68.11) that removes the unrestricted deletion feature.
  • If the plugin is not needed for your website, disable or uninstall it to eliminate the attack surface.
  • Revise user role permissions to remove unnecessary administrator access or restrict the administrator role to only essential functions, thereby limiting the potential for exploitation by compromised accounts.

Generated by OpenCVE AI on April 22, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18083 The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00824}

 epss

{'score': 0.00897}

Wed, 09 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wp-downloadmanager Project
Wp-downloadmanager Project wp-downloadmanager
CPEs cpe:2.3:a:wp-downloadmanager_project:wp-downloadmanager:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp-downloadmanager Project
Wp-downloadmanager Project wp-downloadmanager

Wed, 11 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
Title WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wp-downloadmanager Project Wp-downloadmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:15.795Z

Reserved: 2025-05-15T19:37:36.032Z

Link: CVE-2025-4799

cve-icon Vulnrichment

Updated: 2025-06-11T13:23:47.521Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-11T04:15:59.223

Modified: 2025-07-09T19:11:14.477

Link: CVE-2025-4799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses