Medium severity5.3NVD Advisory· Published Nov 8, 2025· Updated Apr 15, 2026

CVE-2025-12177

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

Affected products

WordPress/Download Managerinferred
Range: <=3.3.30
Package: https://wordpress.org/plugins/download-manager

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5envd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000