VYPR

Wp Downloadmanager

by WordPress

Source repositories

CVEs (9)

  • CVE-2025-10747HigSep 26, 2025
    risk 0.47cvss 7.2epss 0.01

    The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access…

  • CVE-2024-47341HigOct 6, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-DownloadManager wp-downloadmanager allows Reflected XSS.This issue affects WP-DownloadManager: from n/a through <= 1.68.8.

  • CVE-2026-2419LowFeb 18, 2026
    risk 0.11cvss 2.7epss 0.01

    The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences…

  • CVE-2025-4799Jun 11, 2025
    risk 0.00cvss epss 0.01

    The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level…

  • CVE-2022-25606Mar 25, 2022
    risk 0.00cvss epss 0.01

    Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.

  • CVE-2022-25605Mar 18, 2022
    risk 0.00cvss epss 0.01

    Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.

  • CVE-2021-44760Mar 18, 2022
    risk 0.00cvss epss 0.01

    Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.

  • CVE-2020-24141Jul 7, 2021
    risk 0.00cvss epss 0.01

    Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network…

  • CVE-2013-2697Apr 19, 2013
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.