PT-2026-1363 · WordPress · Download Manager
Drew Webber
·
Published
2026-01-06
·
Updated
2026-01-06
·
CVE-2025-15364
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Download Manager plugin for WordPress versions prior to 3.3.41
Description
The Download Manager plugin for WordPress is susceptible to privilege escalation, potentially leading to account takeover. The issue stems from insufficient user identity validation before allowing updates to user details, such as passwords. This allows unauthenticated attackers to modify user passwords—excluding those of administrators—and subsequently gain access to their accounts.
Recommendations
Update the Download Manager plugin to version 3.3.41 or later.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Download Manager