CVE-2021-25069

The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue

CVE-2022-36288

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin

CVE-2022-34347

Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin

CVE-2021-34639

Authenticated File Upload in WordPress Download Manager

CVE-2022-2436

The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper th...

CVE-2022-2431

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. ...

CVE-2025-1785

The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally...

CVE-2014-9260

The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users to update every WordPress option.