CVE-2026-4057
Received Received - Intake
Unauthorized Data Modification in WordPress Download Manager Plugin

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: Wordfence

Description
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4057
EUVD
EUVD-2026-21258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence download_manager to 3.3.51 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated attackers with Contributor-level access and above to remove protection metadata from media files they do not own, making admin-protected files publicly accessible via their direct URL.

Such unauthorized exposure of protected media files could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to sensitive or private data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Executive Summary

The vulnerability exists in the Download Manager plugin for WordPress, where certain functions responsible for changing media file visibility lack proper capability checks.

Specifically, the functions makeMediaPublic() and makeMediaPrivate() only verify if a user has the 'edit_posts' capability but do not confirm if the user owns the post they are modifying.

Because of this, authenticated users with Contributor-level access or higher can remove protection metadata (such as passwords, access restrictions, or private flags) from media files they do not own.

This results in admin-protected files becoming publicly accessible through their direct URLs.

Impact Analysis

This vulnerability can lead to unauthorized users making protected media files publicly accessible.

An attacker with Contributor-level access or higher can strip away all protection metadata from media files they do not own, bypassing intended access restrictions.

As a result, sensitive or private media content intended to be restricted by administrators could be exposed to the public.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4057. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart