CVE-2026-2571
Unauthorized Data Access in WordPress Download Manager Plugin
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdownloadmanager | download_manager | to 3.3.49 (inc) |
| wpdownloadmanager | download_manager | 3.3.50 |
| wpdownloadmanager | download_manager | 3.3.41 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2571 is a security vulnerability in the WordPress Download Manager plugin affecting all versions up to and including 3.3.49. The issue arises from a missing capability check in the 'reviewUserStatus' function, which allowed authenticated users with Subscriber-level access or higher to access sensitive information about any user on the site."}, {'type': 'paragraph', 'content': 'Specifically, attackers could retrieve sensitive user data such as email addresses, display names, and registration dates by exploiting the lack of proper authorization checks in AJAX requests handling user status review.'}, {'type': 'paragraph', 'content': "The vulnerability was fixed in version 3.3.50 by adding strict nonce verification and capability checks to ensure only authorized users (with 'manage_options' capability) can access or modify user statuses."}] [2, 4]
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level privileges (Subscriber-level) to access sensitive information about other users on the WordPress site, including their email addresses, display names, and registration dates.
Such unauthorized access can lead to privacy breaches, targeted phishing attacks, spam, or social engineering attempts against users of the site.
While the vulnerability does not allow modification or deletion of data, the exposure of personal information can undermine user trust and site security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized access to user data via AJAX requests to the WordPress Download Manager plugin, specifically through the 'user' parameter in AJAX actions like 'wp_ajax_wpdmdz_user_status' and 'wp_ajax_wpdmdz_update_user_status'."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting these AJAX endpoints and look for requests made by authenticated users with subscriber-level privileges or higher attempting to access user status or email information.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include inspecting web server logs for suspicious AJAX requests:'}, {'type': 'list_item', 'content': "Using grep to find AJAX requests to vulnerable actions in access logs: grep -i 'wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep -E 'wpdmdz_user_status|wpdmdz_update_user_status'"}, {'type': 'list_item', 'content': "Filter requests by the 'user' parameter to identify potential enumeration attempts: grep -i 'user=' /var/log/apache2/access.log | grep 'wpdmdz_user_status'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual patterns of authenticated subscriber-level users making repeated AJAX calls to these endpoints could indicate exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the WordPress Download Manager plugin to version 3.3.50 or later, where the vulnerability has been fixed by adding proper authorization checks and nonce verification to the AJAX handlers managing user status.'}, {'type': 'paragraph', 'content': "If immediate updating is not possible, restrict access to the AJAX endpoints 'wp_ajax_wpdmdz_user_status' and 'wp_ajax_wpdmdz_update_user_status' to only trusted administrator users by implementing server-side access controls or firewall rules."}, {'type': 'paragraph', 'content': 'Additionally, review user roles and permissions to ensure that subscriber-level users do not have elevated capabilities that could be exploited.'}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious activity targeting these AJAX endpoints and consider temporarily disabling the Download Manager plugin if exploitation attempts are detected and cannot be immediately mitigated.'}] [2, 4]