A CSRF flaw exists in Shahjada Download Manager up to version 3.3.24 that allows a remote attacker to cause a logged‑in user to send a request to the plugin without the user’s consent. The vulnerability does not grant arbitrary code execution. Based on the description, it is inferred that attackers could cause unauthorized state‑changing actions within the plugin, potentially impacting the integrity and availability of the site’s download management functionality.

WordPress sites that use the Download Manager plugin version 3.3.24 or earlier are affected. The issue is specific to the plugin, not tied to the underlying operating system or WordPress core version.

The CVSS score of 4.3 classifies the issue as moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability by inducing victims to visit a maliciously crafted URL that triggers the plugin’s privileged endpoint, taking advantage of the absence of proper anti‑CSRF tokens. Since the attacker only needs a victim’s authenticated session, the attack is feasible in environments where users frequently remain logged in to the administration interface.