Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total47
Critical0
High13
Medium34
Reset
Showing 1-20 of 47 records
Threat Entry Updated 2026-04-13

CVE-2026-4057 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do…

PLUGIN Download Manager

CVE-2026-4057

MEDIUM CVSS 4.3 2026-04-10
Open Full Technical Breakdown
Threat Entry Updated 2026-04-13

CVE-2026-5357 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts…

PLUGIN Download Manager

CVE-2026-5357

MEDIUM CVSS 6.4 2026-04-09
Open Full Technical Breakdown
Threat Entry Updated 2026-03-19

CVE-2026-2571 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates.

PLUGIN Download Manager

CVE-2026-2571

MEDIUM CVSS 4.3 2026-03-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1666 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Download Manager

CVE-2026-1666

MEDIUM CVSS 6.1 2026-02-18
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2025-15364 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.

PLUGIN Download Manager

CVE-2025-15364

HIGH CVSS 7.3 2026-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-18

CVE-2025-13498 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files.

PLUGIN Download Manager

CVE-2025-13498

MEDIUM CVSS 4.3 2025-12-18
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12177 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

PLUGIN Download Manager

CVE-2025-12177

MEDIUM CVSS 5.3 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-09-19

CVE-2025-10146 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Download Manager

CVE-2025-10146

MEDIUM CVSS 6.1 2025-09-19
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2025-4367 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Manager

CVE-2025-4367

MEDIUM CVSS 6.4 2025-06-19
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-8284 - Download Manager Plugin

The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Download Manager

CVE-2024-8284

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2025-3404 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Download Manager

CVE-2025-3404

HIGH CVSS 8.8 2025-04-19
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2025-3056 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Download Manager

CVE-2025-3056

MEDIUM CVSS 5.4 2025-04-18
Open Full Technical Breakdown
Threat Entry Updated 2025-04-09

CVE-2024-13126 - Download Manager Plugin

The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.

PLUGIN Download Manager

CVE-2024-13126

MEDIUM CVSS 4.6 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-1785 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.

PLUGIN Download Manager

CVE-2025-1785

MEDIUM CVSS 5.4 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-04-17

CVE-2024-10706 - Download Manager Plugin

The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Download Manager

CVE-2024-10706

MEDIUM CVSS 4.8 2024-12-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-11768 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.

PLUGIN Download Manager

CVE-2024-11768

MEDIUM CVSS 5.3 2024-12-19
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-11740 - The Download Manager Plugin

The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Download Manager

CVE-2024-11740

HIGH CVSS 7.3 2024-12-19
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-6208 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_all_packages' shortcode in all versions up to, and including, 3.2.97 due to insufficient input sanitization and output escaping on the 'cols' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Manager

CVE-2024-6208

MEDIUM CVSS 6.4 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-2098 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

PLUGIN Download Manager

CVE-2024-2098

HIGH CVSS 7.5 2024-06-13
Open Full Technical Breakdown
Scroll to top