CVE-2026-5357

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdmmembers' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute...

WordPress Download Manager plugin <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal vulnerability

Missing Authorization to Authenticated Contributor+ Media File Protection Removal vulnerability discovered by Or Benit - MadSec in WordPress Plugin Download Manager versions = 3.3.51...

CVE-2026-5357

The CVE-2026-5357 entry concerns the WordPress Download Manager plugin, affected up to version 3.3.52. The vulnerability is a Stored Cross-Site Scripting (XSS) via the 'sid' parameter of the 'wpdm_members' shortcode. The sid attribute is extracted without sanitization in the members() function, s...

CVE-2026-39676

The CVE concerns the WordPress Download Manager plugin (Download Manager) with versions up to 3.3.52. It describes a Missing Authorization/malformed access control vulnerability (Broken Access Control) where access levels are incorrectly configured, enabling unauthorized behavior. Public referenc...

CVE-2026-39616 WordPress Download Attachments plugin <= 1.4.0 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through = 1.4.0...

WordPress Download Manager plugin <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ User Email Enumeration via 'user' Parameter vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin Download Manager versions = 3.3.49...

WordPress Download Manager plugin <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword vulnerability

Unauthenticated Limited Privilege Escalation via updatePassword vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Download Manager versions = 3.3.40...

CVE-2025-15364

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for...

CVE-2025-13498

Technical details for CVE-2025-13498 are not provided in the connected documents. The initial description notes a WordPress Download Manager plugin vulnerability up to version 3.3.32 but does not specify affected product/vendor/version details beyond that. Monitor for updates.

CVE-2025-63070 WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through = 3.3.32...

CVE-2025-12961

The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wpajaxsavesettings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the dlpnsavesettings...

EUVD-2025-38361

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs...

CVE-2025-12177 Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs...

PT-2025-45551

Name of the Vulnerable Software and Affected Versions WordPress Download Manager plugin versions prior to 3.3.31 Description The WordPress Download Manager plugin contains a flaw due to a hardcoded Cron key used in the deleteExpired and clearTempDataCPCron functions. This allows unauthenticated...

CVE-2025-11072

CVE-2025-11072 concerns the MelAbu WP Download Counter Button WordPress plugin (versions up to 1.8.6.7). The issue is that the plugin does not validate the file path for downloads, which could allow an unauthenticated attacker to read/download arbitrary files. In public disclosures, Patchstack an...

EUVD-2021-21289

Malware in sbrugna...

EUVD-2017-11400

Malware in sbrugna...

EUVD-2025-24914

Malicious code in bioql PyPI...

WordPress Download Manager plugin <= 3.3.32 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Que Thanh Tuan - Blue Rock in WordPress Plugin Download Manager versions = 3.3.32...

WordPress Download Manager Plugin <= 3.3.24 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Download Manager versions = 3.3.24...