CVE-2025-15364
Privilege Escalation in WordPress Download Manager Plugin via Account Takeover
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdownloadmanager | download_manager | to 3.3.40 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-353 | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WordPress Download Manager plugin (up to version 3.3.40) allows unauthenticated attackers to escalate privileges by taking over user accounts (except administrators). This happens because the plugin does not properly validate a user's identity before allowing updates to sensitive details like passwords. Technically, the issue is related to improper authentication and integrity checks in the encryption/decryption logic within the Crypt.php file, which uses AES-128-CBC encryption or a fallback base64 method. This flaw enables attackers to manipulate encrypted data and change user passwords without authorization. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to change the passwords of non-administrator users without authentication, effectively taking over their accounts. This unauthorized access can lead to data breaches, unauthorized actions performed under compromised accounts, and potential further exploitation within the WordPress site. The overall impact includes loss of user account control, potential data loss or manipulation, and disruption of site operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WordPress Download Manager plugin version is 3.3.40 or earlier, as these versions are vulnerable. You can check the plugin version installed on your WordPress site by running commands to list installed plugins and their versions. For example, using WP-CLI: `wp plugin list --format=json` and look for 'download-manager' with version <= 3.3.40. Additionally, monitoring for unauthorized password changes or suspicious user account activity could indicate exploitation attempts. There are no specific network commands provided to detect exploitation attempts directly from the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Download Manager plugin to version 3.3.41 or later, where the vulnerability has been fixed by implementing proper authentication and integrity checks in the Crypt.php file. This update prevents unauthorized manipulation of encrypted data and blocks the privilege escalation via account takeover. Until the update is applied, restrict access to the plugin and monitor user account changes closely. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to escalate privileges by taking over user accounts (except administrators) through password changes without proper identity validation. This unauthorized access to user accounts could lead to exposure or manipulation of personal or sensitive data, potentially violating data protection requirements under standards like GDPR or HIPAA. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 3]