CVE-2025-3404

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to, and including, 3.3.12

Description The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations For versions up to, and including, 3.3.12, update to a version that fixes the savePackage function issue to prevent arbitrary file deletion. As a temporary workaround, consider disabling the savePackage function until a patch is available. Restrict access to the Download Manager plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.