CVE-2026-39676

Vulnerability

Description The CVE-2026-39676 vulnerability affects the WordPress Download Manager plugin (versions up to 3.3.52) and is due to a missing authorization check. This broken access control issue allows unprivileged users to execute actions that should require higher privileges, such as downloading or managing files they should not have access to [1].

Exploitation

Details Exploitation does not require authentication, but the attacker must be a user with some level of access (e.g., subscriber) to trigger the unauthorized action. The vulnerability is classified as low severity (CVSS 5.3) and is unlikely to be exploited individually, but it is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation enables an attacker to perform actions like downloading protected files or modifying download settings, depending on the missing authorization scope. This can lead to data exposure or partial site compromise, though the impact is limited due to the low privilege escalation potential.

Mitigation

The vulnerability is patched in version 3.3.53. Users are strongly advised to update immediately. Patchstack customers can enable auto-updates for vulnerable plugins. If updating is not possible, consult a hosting provider for temporary workarounds [1].