CVE-2026-4057

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to and including 3.3.51

Description The Download Manager plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check in the makeMediaPublic() and makeMediaPrivate() functions. These functions only verify the edit posts capability, failing to confirm post ownership using current user can('edit post', $id). The destructive operations occur before the admin-level check in mediaAccessControl(). Authenticated attackers with Contributor-level access or higher can remove protection metadata (passwords, access restrictions, private flags) from any media file, even those they do not own, making admin-protected files publicly accessible via their direct URL.

Recommendations Update to a version beyond 3.3.51.