VYPR

Download Manager

by WordPress

Source repositories

CVEs (60)

  • CVE-2024-4160MedMay 31, 2024
    risk 0.35cvss 6.4epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm-all-packages' shortcode in all versions up to, and including, 3.2.90 due to insufficient input sanitization and output escaping on user supplied attributes. This makes…

  • CVE-2025-12177MedNov 8, 2025
    risk 0.34cvss 5.3epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to…

  • CVE-2023-6785MedMar 13, 2024
    risk 0.34cvss 5.3epss 0.01

    The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately…

  • CVE-2024-1766MedJun 12, 2024
    risk 0.29cvss 4.4epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2025-60093MedSep 26, 2025
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Shahjada Download Manager download-manager allows Cross Site Request Forgery.This issue affects Download Manager: from n/a through <= 3.3.24.

  • CVE-2025-3056MedApr 18, 2025
    risk 0.28cvss 5.4epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-56217MedDec 31, 2024
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.03.

  • CVE-2026-4057MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking…

  • CVE-2026-2571MedMar 19, 2026
    risk 0.21cvss 4.3epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level…

  • CVE-2025-13498MedDec 18, 2025
    risk 0.21cvss 4.3epss 0.00

    The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for…

  • CVE-2023-6421Jan 1, 2024
    risk 0.07cvss epss 0.02

    The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.

  • CVE-2019-15889Sep 3, 2019
    risk 0.03cvss epss 0.13

    The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.

  • CVE-2013-7319Feb 6, 2014
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.

  • CVE-2024-11740Dec 19, 2024
    risk 0.01cvss epss 0.02

    The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This…

  • CVE-2022-2431Sep 6, 2022
    risk 0.01cvss epss 0.03

    The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon…

  • CVE-2022-2168Jul 17, 2022
    risk 0.01cvss epss 0.01

    The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting

  • CVE-2025-4367Jun 19, 2025
    risk 0.00cvss epss 0.00

    The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes…

  • CVE-2025-4798Jun 11, 2025
    risk 0.00cvss epss 0.00

    The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated…

  • CVE-2024-8284May 15, 2025
    risk 0.00cvss epss 0.00

    The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

  • CVE-2024-13126Mar 16, 2025
    risk 0.00cvss epss 0.00

    The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.