CVE-2026-2426
Path Traversal in WP-DownloadManager Allows Arbitrary File Deletion
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lesterchan | wp-downloadmanager | to 1.69 (inc) |
| lesterchan | wp-downloadmanager | 1.69.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The WP-DownloadManager plugin for WordPress has a vulnerability in its file deletion functionality up to version 1.69. This vulnerability is a Path Traversal issue caused by insufficient validation of user-supplied file paths via the 'file' parameter. Authenticated users with Administrator-level access or higher can exploit this to delete arbitrary files on the server by manipulating directory traversal sequences."}, {'type': 'paragraph', 'content': 'Because the plugin trusted file path information submitted through form POST parameters, attackers could delete critical files such as wp-config.php. Deleting such files can lead to remote code execution or other severe impacts.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated administrator or higher to delete arbitrary files on the server hosting the WordPress site. This can lead to the removal of critical configuration files like wp-config.php.
The deletion of important files can cause the website to malfunction or become compromised, potentially enabling remote code execution. This means an attacker could execute malicious code on the server, leading to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the WP-DownloadManager plugin allowing authenticated administrators to delete arbitrary files via the 'file' parameter in the file deletion functionality. Detection involves monitoring for suspicious file deletion requests or attempts to exploit directory traversal sequences in the 'file' parameter."}, {'type': 'paragraph', 'content': "Since the vulnerability requires Administrator-level access and involves HTTP POST requests to the WordPress admin interface, detection can focus on monitoring HTTP POST requests to the plugin's file deletion endpoint, looking for unusual or unexpected file paths containing directory traversal patterns such as '../'."}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx) to search for POST requests to the WP-DownloadManager deletion endpoint containing directory traversal sequences:'}, {'type': 'list_item', 'content': "grep -i 'POST' /var/log/apache2/access.log | grep 'file=' | grep '\\.\\./'"}, {'type': 'list_item', 'content': 'Using WordPress logs or audit plugins to monitor administrator actions related to file deletion in the WP-DownloadManager plugin.'}, {'type': 'list_item', 'content': 'Checking the database or plugin logs for unexpected deletions or modifications of critical files such as wp-config.php.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, you should update the WP-DownloadManager plugin to version 1.69.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix involves changing the file deletion logic to fetch file details directly from the database using the file ID, rather than trusting user-supplied POST parameters, and adding nonce verification to prevent CSRF attacks.'}, {'type': 'paragraph', 'content': 'Additional mitigation steps include:'}, {'type': 'list_item', 'content': 'Restrict administrator access to trusted users only, since exploitation requires Administrator-level privileges.'}, {'type': 'list_item', 'content': 'Implement monitoring and alerting for suspicious file deletion activities or unexpected changes to critical files.'}, {'type': 'list_item', 'content': 'Ensure that file upload validation is enforced, as the patch also improves file type checks to prevent dangerous uploads.'}, {'type': 'list_item', 'content': "If immediate update is not possible, consider disabling or restricting the WP-DownloadManager plugin's file deletion functionality temporarily."}] [2]