WPDM Download Manager
Moderate fix1 remedy
cpe:2.3:a:wordpress_download_manager:download_manager:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 3.3.32
Download Manager WordPress Plugin Missing Authorization Vulnerability Allows Password Disclosure for Protected Media
Vulnerability
Patched
A vulnerability exists in the Download Manager plugin for WordPress, affecting all versions up to and including 3.3.32. The issue arises from inadequate authorization and capability checks on the 'wpdm_media_access' AJAX action. This flaw enables authenticated attackers with Subscriber-level access and above to access passwords and access control settings for protected media attachments. Such information can be exploited to circumvent media protection and download restricted files.
Impact
Exploitation of this vulnerability could lead to unauthorized access to passwords and access control settings for protected media attachments, allowing restricted files to be downloaded.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wpdm_media_access' AJAX action. This request can include the ID of a media attachment that is protected. The absence of proper authorization checks will allow the user to retrieve the password and access settings for that attachment, which can then be used to download the file, bypassing the intended restrictions.
Remediation
Users are advised to update the Download Manager plugin to version 3.3.33 or a newer patched version.
Added: Dec 18, 2025, 9:50 AM
Updated: Dec 18, 2025, 5:02 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
3.1exploitability
6.4remediation
7.7relevance
1.6threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.