CVE-2026-5357

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdmmembers' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute...

WordPress Download Manager plugin <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal vulnerability

Missing Authorization to Authenticated Contributor+ Media File Protection Removal vulnerability discovered by Or Benit - MadSec in WordPress Plugin Download Manager versions = 3.3.51...

CVE-2026-5357

The CVE-2026-5357 entry concerns the WordPress Download Manager plugin, affected up to version 3.3.52. The vulnerability is a Stored Cross-Site Scripting (XSS) via the 'sid' parameter of the 'wpdm_members' shortcode. The sid attribute is extracted without sanitization in the members() function, s...

CVE-2026-39676

The CVE concerns the WordPress Download Manager plugin (Download Manager) with versions up to 3.3.52. It describes a Missing Authorization/malformed access control vulnerability (Broken Access Control) where access levels are incorrectly configured, enabling unauthorized behavior. Public referenc...

WordPress Download Manager plugin <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ User Email Enumeration via 'user' Parameter vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin Download Manager versions = 3.3.49...

WordPress Download Manager plugin <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword vulnerability

Unauthenticated Limited Privilege Escalation via updatePassword vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Download Manager versions = 3.3.40...

CVE-2025-15364

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for...

CVE-2025-13498

Technical details for CVE-2025-13498 are not provided in the connected documents. The initial description notes a WordPress Download Manager plugin vulnerability up to version 3.3.32 but does not specify affected product/vendor/version details beyond that. Monitor for updates.

CVE-2025-63070 WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through = 3.3.32...

EUVD-2025-38361

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs...

CVE-2025-12177 Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs...

PT-2025-45551

Name of the Vulnerable Software and Affected Versions WordPress Download Manager plugin versions prior to 3.3.31 Description The WordPress Download Manager plugin contains a flaw due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions. This allows unauthenticated...

EUVD-2021-21289

Malware in sbrugna...

EUVD-2017-11400

Malware in sbrugna...

EUVD-2025-24914

Malicious code in bioql PyPI...

WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Que Thanh Tuan - Blue Rock in WordPress Plugin Download Manager versions = 3.3.32...

WordPress Download Manager Plugin <= 3.3.24 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Download Manager versions = 3.3.24...

CVE-2025-60093 WordPress Download Manager Plugin <= 3.3.24 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in Shahjada Download Manager download-manager allows Cross Site Request Forgery.This issue affects Download Manager: from n/a through = 3.3.24...

CVE-2025-60092

CVE-2025-60092 affects the Download Manager WordPress plugin (versions up to 3.3.24/3.3.25 per sources) and is an unauthenticated exposure of sensitive information. Exploitation details are not provided in the documents, but WordFence notes the vulnerability as a sensitive information exposure an...

CVE-2025-60092 WordPress Download Manager Plugin <= 3.3.25 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through = 3.3.25...