The Download Manager plugin for WordPress contains a missing authorization check that allows visitors to access functionality normally reserved for authenticated administrators. Because the plugin does not verify user roles before permitting download or file configuration actions, an attacker can trigger privileged operations or retrieve sensitive files from the repository. The flaw is a classic broken access control (CWE‑862) and can lead to data disclosure or modification if the content is private.

Affected systems are websites that have installed the Shahjada Download Manager plugin for WordPress. The issue covers all releases from the first publicly available version up to and including 3.3.52. Users who maintain older pages or rely on this plugin should verify whether they use a version below 3.3.53 and plan a migration.

The CVSS score is not reported in the public data, and EPSS information is unavailable, so the precise exploit probability is unclear. However, because the flaw can be triggered by unauthenticated HTTP requests and the affected plugin is widely deployed, the risk to systems is significant. The vulnerability is not listed in the CISA KEV catalog, but it remains a priority for administrators to patch or otherwise mitigate. An attacker could potentially use the flaw to harvest restricted files or alter the plugin configuration, leading to data exposure or a broader compromise.