Wp Downloadmanager
by WordPress
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-10747 | Hig | 0.47 | 7.2 | 0.01 | Sep 26, 2025 | The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access… | ||
| CVE-2024-47341 | Hig | 0.46 | 7.1 | 0.00 | Oct 6, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-DownloadManager wp-downloadmanager allows Reflected XSS.This issue affects WP-DownloadManager: from n/a through <= 1.68.8. | ||
| CVE-2026-2419 | Low | 0.11 | 2.7 | 0.01 | Feb 18, 2026 | The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences… | ||
| CVE-2025-4799 | 0.00 | — | 0.01 | Jun 11, 2025 | The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level… | |||
| CVE-2022-25606 | 0.00 | — | 0.01 | Mar 25, 2022 | Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories. | |||
| CVE-2022-25605 | 0.00 | — | 0.01 | Mar 18, 2022 | Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url. | |||
| CVE-2021-44760 | 0.00 | — | 0.01 | Mar 18, 2022 | Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions. | |||
| CVE-2020-24141 | 0.00 | — | 0.01 | Jul 7, 2021 | Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network… | |||
| CVE-2013-2697 | 0.00 | — | 0.01 | Apr 19, 2013 | Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
- risk 0.47cvss 7.2epss 0.01
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access…
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-DownloadManager wp-downloadmanager allows Reflected XSS.This issue affects WP-DownloadManager: from n/a through <= 1.68.8.
- risk 0.11cvss 2.7epss 0.01
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences…
- CVE-2025-4799Jun 11, 2025risk 0.00cvss —epss 0.01
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level…
- CVE-2022-25606Mar 25, 2022risk 0.00cvss —epss 0.01
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.
- CVE-2022-25605Mar 18, 2022risk 0.00cvss —epss 0.01
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.
- CVE-2021-44760Mar 18, 2022risk 0.00cvss —epss 0.01
Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.
- CVE-2020-24141Jul 7, 2021risk 0.00cvss —epss 0.01
Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network…
- CVE-2013-2697Apr 19, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.