Description
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.
Published: 2026-02-18
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via arbitrary file read
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated administrator to configure the plugin’s download_path parameter with directory traversal sequences that bypass a prefix check, enabling the listing and reading of any file on the server. This constitutes a path traversal flaw (CWE‑22) that can expose sensitive configuration files, credentials, or code, thereby compromising confidentiality and potentially increasing the attack surface for further exploitation. Only users with Administrator level or higher privileges can trigger the flaw, so the attack requires legitimate site access.

Affected Systems

The WP‑DownloadManager plugin for WordPress versions up to and including 1.69 is affected; the vendor is gamerz:WP-DownloadManager. All installations of these plugin versions that expose the file browser functionality are vulnerable.

Risk and Exploitability

The CVSS score is 2.7, indicating low overall severity, and the EPSS score is less than 1%, reflecting a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be initiated by an authenticated administrator who modifies the download_path value, exploiting the insufficient validation. While the technical barrier is low for an attacker with admin access, the overall risk remains modest due to the restricted privilege requirement and low exploitation probability.

Generated by OpenCVE AI on April 15, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP‑DownloadManager to version 1.70 or later to remove the traversal bug
  • If an upgrade is not immediately possible, delete or disable the plugin’s file browser feature and remove the download_path configuration
  • Restrict administrator access and enforce a whitelist of permissible directories for download_path to mitigate future attempts
  • Audit and monitor configuration changes in the plugin for unauthorized modifications

Generated by OpenCVE AI on April 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gamerz
Gamerz wp-downloadmanager
Wordpress
Wordpress wordpress
Vendors & Products Gamerz
Gamerz wp-downloadmanager
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.
Title WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gamerz Wp-downloadmanager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:55.555Z

Reserved: 2026-02-12T20:02:47.756Z

Link: CVE-2026-2419

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:10.761Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T08:16:15.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses