CVE-2025-4799

Name of the Vulnerable Software and Affected Versions WP-DownloadManager versions 1.68.10 and earlier

Description The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to a lack of restriction on the directory from which a file can be deleted. This allows authenticated attackers with Administrator-level access and above to delete arbitrary files on the server, potentially leading to remote code execution when the right file is deleted, such as wp-config.php.

Recommendations For WP-DownloadManager versions 1.68.10 and earlier, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Avoid using the plugin's file deletion functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.