Shahjada Download Manager plugin versions up to 3.3.32 contain a flaw that allows an unauthenticated user or attacker in the control sphere to retrieve embedded sensitive data. The vulnerability results in the disclosure of confidential information that should only be accessible to authorized users, compromising confidentiality and potentially exposing credentials, configuration files, or other secret data. This weakness is identified as CWE‑497, indicating that sensitive information is exposed due to insufficient control of what is returned to the attacker.

WordPress sites running the Download Manager plugin from Shahjada, specifically any installation employing a version of the plugin that is 3.3.32 or older, are affected. The issue applies to all WordPress deployments that have copied the plugin’s embedded data retrieval functionality without additional access control mechanisms. Upgrading to a release newer than 3.3.32 removes the flaw; versions beyond this threshold are presumed patched.

The nominal CVSS score of 4.3 suggests a moderate risk level, and the EPSS score is below 1%, indicating a very low likelihood of exploitation observed so far. The vulnerability is not listed in the CISA KEV catalog, further implying limited exploitation activity. Although the attack vector is not explicitly detailed in the description, it is inferred that an unauthenticated web request to the plugin’s data endpoint could trigger the disclosure, as the plugin exposes sensitive data without proper authentication checks. Consequently, the impact is limited to confidentiality loss rather than code execution or service disruption.