VYPR

Download Manager

by WordPress

Source repositories

CVEs (60)

  • CVE-2014-9260HigAug 7, 2017
    risk 0.61cvss 8.8epss 0.11

    The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users to update every WordPress option.

  • CVE-2022-2436HigSep 6, 2022
    risk 0.57cvss 8.8epss 0.01

    The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files…

  • CVE-2019-25478HigMar 11, 2026
    risk 0.49cvss 7.5epss 0.00

    GetGo Download Manager 6.2.2.3300 contains a buffer overflow vulnerability that allows remote attackers to cause denial of service by sending HTTP responses with excessively long headers. Attackers can craft malicious HTTP responses with oversized header values to crash the…

  • CVE-2026-5357MedApr 9, 2026
    risk 0.42cvss 6.4epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid'…

  • CVE-2024-2098HigJun 13, 2024
    risk 0.42cvss 7.5epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download…

  • CVE-2024-29114MedMar 19, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in W3 Eden, Inc. Download Manager allows Stored XSS.This issue affects Download Manager: from n/a through 3.2.84.

  • CVE-2023-6954MedMar 13, 2024
    risk 0.42cvss 6.4epss 0.01

    The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…

  • CVE-2023-2305MedJun 9, 2023
    risk 0.42cvss 6.4epss 0.01

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdm_members', 'wpdm_login_form', 'wpdm_reg_form' shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied…

  • CVE-2022-45836MedApr 18, 2023
    risk 0.42cvss 6.3epss 0.01

    Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in W3 Eden, Inc. Download Manager plugin <= 3.2.59 versions.

  • CVE-2022-2101MedJul 18, 2022
    risk 0.42cvss 6.4epss 0.01

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with…

  • CVE-2026-1666MedFeb 18, 2026
    risk 0.40cvss 6.1epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the…

  • CVE-2025-15364HigJan 6, 2026
    risk 0.40cvss 7.3epss 0.00

    The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it…

  • CVE-2025-10146MedSep 19, 2025
    risk 0.40cvss 6.1epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…

  • CVE-2022-1985MedJun 13, 2022
    risk 0.40cvss 6.1epss 0.01

    The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the 'frameid' parameter found in the ~/src/Package/views/shortcode-iframe.php…

  • CVE-2017-18032MedJan 16, 2018
    risk 0.40cvss 6.1epss 0.01

    The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php.

  • CVE-2017-2217MedJul 7, 2017
    risk 0.40cvss 6.1epss 0.01

    Open redirect vulnerability in WordPress Download Manager prior to version 2.9.51 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

  • CVE-2017-2216MedJul 7, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2026-39615MedApr 8, 2026
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.

  • CVE-2026-2426MedFeb 18, 2026
    risk 0.35cvss 6.5epss 0.01

    The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal…

  • CVE-2024-5266MedJun 12, 2024
    risk 0.35cvss 6.4epss 0.00

    The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_user_dashboard, wpdm_package, wpdm_packages, wpdm_search_result, and wpdm_tag shortcodes in all versions up to, and including, 3.2.92 due to insufficient input sanitization and…

Page 1 of 3