CVE-2026-2419
Path Traversal in WP-DownloadManager Plugin Allows Arbitrary File Access
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lester_chan | wp_downloadmanager | to 1.69 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP-DownloadManager plugin for WordPress has a Path Traversal vulnerability in versions up to and including 1.69. This vulnerability arises because the plugin does not properly validate the 'download_path' configuration parameter.
Specifically, attackers with Administrator-level access can manipulate the 'download_path' setting to include directory traversal sequences (like '../'), which bypass the intended restriction that the path must reside within the WordPress content directory (WP_CONTENT_DIR).
This allows these attackers to configure the plugin to list and access arbitrary files on the server outside the designated content directory by exploiting the file browser functionality.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user with Administrator privileges to access and list arbitrary files on the server that hosts the WordPress site.
By exploiting the path traversal flaw, an attacker can potentially read sensitive files outside the intended download directory, which may include configuration files, credentials, or other private data.
While the vulnerability does not allow code execution or denial of service directly, unauthorized file access can lead to information disclosure and increase the risk of further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the WP-DownloadManager plugin allowing directory traversal via the 'download_path' configuration parameter. Detection involves checking if the plugin's download_path setting can be manipulated to include directory traversal sequences such as '../'."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated Administrator-level access, detection on a network or system can focus on monitoring changes or suspicious inputs to the download_path configuration parameter in the WordPress admin interface.'}, {'type': 'paragraph', 'content': 'There are no explicit commands provided in the resources to detect this vulnerability directly. However, administrators can audit the plugin settings by reviewing the download_path option stored in the WordPress database or configuration files to check for directory traversal patterns.'}, {'type': 'list_item', 'content': "Use WP-CLI to inspect the download_path option: wp option get wpdm_download_path (or the exact option name if known) and check for '../' sequences."}, {'type': 'list_item', 'content': 'Review web server logs for suspicious requests or POST data targeting the download_path parameter.'}, {'type': 'list_item', 'content': 'Monitor administrative actions in WordPress for changes to download manager settings.'}] [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately update the WP-DownloadManager plugin to version 1.69.1 or later, where the fix has been implemented.'}, {'type': 'paragraph', 'content': "The fix involves validating the download_path parameter to prevent directory traversal by using PHP's realpath() function and checking that the path resides within the WP_CONTENT_DIR directory. If validation fails, the path is reset to a safe default."}, {'type': 'paragraph', 'content': 'Additionally, ensure that only trusted users with Administrator-level access can modify the plugin settings, and monitor for any unauthorized changes.'}, {'type': 'list_item', 'content': 'Update the plugin to version 1.69.1 or later.'}, {'type': 'list_item', 'content': 'Restrict administrative access to trusted users only.'}, {'type': 'list_item', 'content': 'Audit and sanitize the download_path configuration to ensure it does not contain directory traversal sequences.'}, {'type': 'list_item', 'content': 'Apply WordPress security best practices such as strong passwords and two-factor authentication for admin accounts.'}] [1, 3, 4]