Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.25.
Published: 2025-09-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to expose sensitive system information that is embedded within the Shahjada Download Manager plugin. The flaw is classified under CWE‑497, indicating that confidential data can be read by an unauthorized control sphere. An attacker who can trigger the vulnerability would gain access to data that normally should remain hidden, potentially compromising user privacy and internal system details. The impact is limited to data disclosure, without direct code execution or denial of service.

Affected Systems

Affected systems include the Shahjada Download Manager plugin for WordPress. Versions from the earliest release up to and including 3.3.25 are susceptible. No other plugins or system components are listed as vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of risk, and the EPSS score of less than 1% shows a low but non‑zero likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description, the likely attack vector is through privileged or authenticated user access within a WordPress site, enabling the attacker to retrieve embedded data via the plugin’s exposed functionality. No additional prerequisites such as remote code execution are required, but the attacker would need to be able to execute or call plugin features within the web application environment.

Generated by OpenCVE AI on April 30, 2026 at 00:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Manager plugin to version 3.3.26 or later to eliminate the flaw
  • Configure the plugin to restrict access to sensitive data endpoints, disabling any exposed APIs or shortcodes that are not required
  • Review and tighten file permissions and directory access controls to ensure that sensitive files are not readable by the web process or unintended users

Generated by OpenCVE AI on April 30, 2026 at 00:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31308 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.25.
Title WordPress Download Manager Plugin <= 3.3.24 - Sensitive Data Exposure Vulnerability WordPress Download Manager Plugin <= 3.3.25 - Sensitive Data Exposure Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 29 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress
Vendors & Products Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through 3.3.24.
Title WordPress Download Manager Plugin <= 3.3.24 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Shahjada Download Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.665Z

Reserved: 2025-09-25T15:20:09.847Z

Link: CVE-2025-60092

cve-icon Vulnrichment

Updated: 2025-09-29T16:15:31.142Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:34.037

Modified: 2026-04-23T15:34:12.267

Link: CVE-2025-60092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses