CVE-2025-4798
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-07-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-downloadmanager_project | wp-downloadmanager | to 1.68.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP-DownloadManager WordPress plugin allows authenticated users with Administrator-level access to arbitrarily read any file on the server. This happens because the plugin does not properly restrict the directory an administrator can select for storing downloads, enabling them to download and read system and configuration files outside the intended download directory.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive server files, including system and configuration files. An attacker with Administrator access could exploit this to access confidential information, potentially compromising the security and integrity of the server and the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the WP-DownloadManager plugin version is 1.68.10 or earlier and if an authenticated user with Administrator-level access can download arbitrary files outside the intended download directory. Since the vulnerability allows arbitrary file read via the download functionality, you can attempt to access sensitive files through the plugin's download interface using an administrator account. For example, you might try to download files by manipulating the download path or file parameters in the plugin's interface or API. Specific commands depend on your environment, but a general approach is to use curl or wget with authenticated cookies to request files outside the expected directory. Example command: curl -b cookies.txt "https://yourwordpresssite.com/wp-admin/admin.php?page=wp-downloadmanager&file=../../../../etc/passwd" -L -o passwd.txt (adjusting the URL and parameters as per the plugin's download URL structure). Monitoring logs for unusual download requests or file access outside the download directory can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict administrator access to trusted users only, as the vulnerability requires Administrator-level privileges. 2) Update the WP-DownloadManager plugin to a version later than 1.68.10 where this vulnerability is fixed. 3) If an update is not immediately possible, manually restrict the download directory path in the plugin settings to ensure it is within the WordPress content directory, as the plugin attempts to validate this path. 4) Monitor and audit administrator activities related to download management. 5) Consider temporarily disabling the WP-DownloadManager plugin until a patch is applied to prevent exploitation. [1]