CVE-2026-4057 - Vulnerability Details

- Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.

Published: 2026-04-10

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing capability check in the MakeMediaPublic and MakeMediaPrivate functions of the Download Manager plugin allows any authenticated user with Contributor-level access or higher to remove protection metadata from media files they do not own. The plugin only verifies the edit_posts capability, ignoring ownership checks, and the operations are performed before a higher-level admin check. This can cause files that should remain private to become publicly accessible via their direct URLs, exposing potentially sensitive content.

Affected Systems

The vulnerability affects all installations of the Download Manager plugin for WordPress up to and including version 3.3.51. Affected implementations belong to the codename065 vendor and operate as part of a WordPress site’s media library.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and no EPSS score is available. The attack requires authenticated access with Contributor or greater role, leveraging the plugin’s public endpoints. Although the CVE is not listed in KEV, the direct nature of the exploit and the lack of restriction on the affected functions increase the likelihood of use in environments where contributors have access. Organizations should consider the potential for unintended data exposure and the ease of exploitation when assessing risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

codename065

Download Manager

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.3.51

No data.

Vendor Product Confidence Versions

Codename065

Download Manager Plugin

89%

Version	Status	Scheme	Platform
`[0,3.3.51]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Download Manager plugin to version 3.3.52 or later.
If an immediate update is not possible, restrict Contributor-level users from accessing media protection functions by adjusting role capabilities or disabling the affected endpoints.
After updating or restricting access, review media files that had been made public to ensure they are still protected as intended.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237
https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257
https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237
https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257
https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51&new_path=%2Fdownload-manager/tags/3.3.52
https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve

History

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codename065 Codename065 download Manager Plugin Wordpress Wordpress wordpress
Vendors & Products		Codename065 Codename065 download Manager Plugin Wordpress Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.
Title		Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237 https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257 https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237 https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257 https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51&new_path=%2Fdownload-manager/tags/3.3.52 https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Codename065 Download Manager Plugin

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-10T01:24:58.764Z

Updated: 2026-04-10T01:24:58.764Z

Reserved: 2026-03-12T16:54:21.437Z

Link: CVE-2026-4057

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-10T02:16:03.240

Modified: 2026-04-10T02:16:03.240

Link: CVE-2026-4057

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:27:11Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object