Download Manager

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.

Basic Information

ID CVE-2025-15364

Source Wordfence

Published Jan 6, 2026 at 01:50

Affected Product

Vendor codename065

Product Download Manager

Version *

Affected Versions codename065 Download Manager *

CWE Classification

CWE-353

References

{
    "lastseen": "",
    "description": "The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.",
    "published": "2026-01-06T01:50:12.652Z",
    "modified": "2026-01-06T01:50:12.652Z",
    "type": "cve",
    "title": "Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve\nhttps://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18\nhttps://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7",
    "id": "CVE-2025-15364",
    "bulletinFamily": "",
    "cwe": [
        "CWE-353"
    ],
    "cvelist": null,
    "sourceData": "codename065 Download Manager *",
    "sourceHref": "",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Download Manager",
    "version": "*",
    "vendor": "codename065",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword_CVE-2025-15364