W3 Eden Download Manager
Moderate fix1 remedy
cpe:2.3:a:w3eden:download_manager:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.3.49
Download Manager Missing Capability Check Vulnerability Allowing Email Enumeration
Vulnerability
Patched
A vulnerability exists in the Download Manager plugin for WordPress, in all versions through 3.3.49. The issue arises from a missing capability check in the 'reviewUserStatus' function, which allows authenticated users with Subscriber-level access and above to access sensitive information about other users. This includes email addresses, display names, and registration dates.
Impact
Exploitation of this vulnerability could lead to unauthorized access to user data, allowing attackers to enumerate email addresses and other personal information of users on the site.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wpdmdz_user_status' action via the admin-ajax.php file. The request must include a 'user' parameter specifying the ID of the user whose information is being requested. This can be done manually or through a script that automates the process.
Remediation
Users are advised to update the Download Manager plugin to version 3.3.50 or later.
Added: Mar 19, 2026, 7:24 AM
Updated: Mar 19, 2026, 7:24 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
4.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.