Description
Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.52.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from a missing authorization check within the Shahjada Download Manager plugin, allowing an attacker to access files that should be restricted. This flaw permits unauthorized download of protected content, compromising the confidentiality of data held on the WordPress site. The impact is limited to file access; the attacker cannot modify the site or execute arbitrary code, but can retrieve information not intended for public consumption.

Affected Systems

The affected product is the Shahjada Download Manager plugin for WordPress, versions up through 3.3.52. Site administrators using these versions should verify their plugin version and elevation of privileges is not impacted.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability presents a moderate severity risk. The EPSS score is below 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. An attacker can reach the affected functionality via the web interface of the WordPress site, typically by crafting a URL to a protected file without needing prior authentication. As such, the recommended approach is to apply the vendor patch promptly; at present there is no official workaround.

Generated by OpenCVE AI on April 8, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Download Manager plugin to version 3.3.53 or later.
  • Confirm the plugin version on the WordPress admin dashboard.
  • If an immediate update is not possible, restrict access to protected files using the plugin’s access‑control settings or add rules to block unauthenticated requests via .htaccess.

Generated by OpenCVE AI on April 8, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress
Vendors & Products Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.52.
Title WordPress Download Manager plugin <= 3.3.52 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Shahjada Download Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.997Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39676

cve-icon Vulnrichment

Updated: 2026-04-08T17:24:13.905Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:39.230

Modified: 2026-04-29T10:17:39.130

Link: CVE-2026-39676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:28:07Z

Weaknesses