The Download Manager plugin for WordPress contains a missing capability check in the reviewUserStatus function, which allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive information about any site user, including email addresses, display names, and registration dates. This flaw results in a confidentiality breach and is classified under CWE-200. The impact is that attackers can harvest personally identifiable information that may be used for phishing, social engineering, or other malicious activities.

The vulnerability affects all versions of the codename065 Download Manager plugin up to and including version 3.3.49. No specific sub-version or patch information is listed beyond this cutoff. Users running any earlier or equal version are potentially impacted.

The base CVSS score of 4.3 indicates moderate severity, driven by the limited impact of information disclosure. The EPSS score is not available, and the vulnerability is not featured in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with at least Subscriber-level privileges; no remote code execution or denial of service is possible. Given that the flaw is purely functional and does not require special conditions beyond authenticated access, the likelihood of exploitation is moderate, especially in environments with a large number of subscriber accounts.