Plugin icon

Download Manager

download-manager

Vulnerabilities:

71

Last Updated:

February 19, 2026

Active Installs:

100000

Published
Title
Fixed in
CVSS
Published
2026-02-17
Title
Download Manager < 3.3.47 - Reflected Cross-Site Scripting via 'redirect_to' Parameter
Fixed in
Fixed in 3.3.47
CVSS
6.1 (medium)
Published
2026-01-05
Title
Download Manager < 3.3.41 - Unauthenticated Limited Privilege Escalation
Fixed in
Fixed in 3.3.41
CVSS
5.6 (medium)
Published
2025-12-17
Title
Download Manager < 3.3.33 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure
Fixed in
Fixed in 3.3.33
CVSS
4.3 (medium)
Published
2025-11-07
Title
Download Manager < 3.3.31 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
Fixed in
Fixed in 3.3.31
CVSS
5.3 (medium)
Published
2025-09-30
Title
Download Manager < 3.3.33 - Authenticated (Subscriber+) Information Exposure
Fixed in
Fixed in 3.3.33
CVSS
4.3 (medium)
Published
2025-09-26
Title
Download Manager < 3.3.26 - Unauthenticated Sensitive Information Exposure
Fixed in
Fixed in 3.3.26
CVSS
5.3 (medium)
Published
2025-09-26
Title
Download Manager < 3.3.25 - Cross-Site Request Forgery
Fixed in
Fixed in 3.3.25
CVSS
4.3 (medium)
Published
2025-09-18
Title
Download Manager < 3.3.24 - Reflected Cross-Site Scripting via `user_ids` Parameter
Fixed in
Fixed in 3.3.24
CVSS
6.1 (medium)
Published
2025-06-18
Title
Download Manager < 3.3.19 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode
Fixed in
Fixed in 3.3.19
CVSS
6.4 (medium)
Published
2025-04-18
Title
Download Manager < 3.3.13 - Author+ Arbitrary File Deletion
Fixed in
Fixed in 3.3.13
CVSS
7.2 (high)
Published
2025-04-17
Title
Download Manager < 3.3.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Fixed in
Fixed in 3.3.13
CVSS
5.4 (medium)
Published
2025-03-12
Title
Download Manager < 3.3.09 - Authenticated (Author+) Path Traversal to Limited File Overwrite
Fixed in
Fixed in 3.3.09
CVSS
5.4 (medium)
Published
2025-02-23
Title
Download Manager < 3.3.07 - Unauthenticated Data Exposure
Fixed in
Fixed in 3.3.07
CVSS
5.3 (medium)
Published
2024-12-19
Title
Download Manager < 3.3.04 - Missing Authorization
Fixed in
Fixed in 3.3.04
CVSS
4.3 (medium)
Published
2024-12-18
Title
Download manager < 3.3.04 - Unauthenticated Download of Password-Protected Files
Fixed in
Fixed in 3.3.04
CVSS
5.3 (medium)
Published
2024-12-18
Title
Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution
Fixed in
Fixed in 3.3.04
CVSS
7.3 (high)
Published
2024-11-29
Title
Download Manager < 3.3.03 - Admin+ Stored XSS
Fixed in
Fixed in 3.3.03
CVSS
3.5 (low)
Published
2024-10-09
Title
Download Manager < 3.3.00 - Contributor+ Stored XSS
Fixed in
Fixed in 3.3.00
CVSS
3.5 (low)
Published
2024-07-30
Title
Download Manager < 3.2.98 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Fixed in
Fixed in 3.2.98
CVSS
6.4 (medium)
Published
2024-07-30
Title
Download Manager <= 3.2.98 - Admin+ Stored XSS
Fixed in
Fixed in 3.2.99
CVSS
3.5 (low)
Published
2024-06-12
Title
Download Manager < 3.2.90 - Improper Authorization via protectMediaLibrary
Fixed in
Fixed in 3.2.90
CVSS
7.5 (high)
Published
2024-06-11
Title
Download Manager < 3.2.94 - Authenticated (Author+) Stored Cross-Site Scripting via Multiple Shortcodes
Fixed in
Fixed in 3.2.94
CVSS
6.4 (medium)
Published
2024-06-11
Title
Download Manager < 3.2.87 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Fixed in
Fixed in 3.2.87
CVSS
4.4 (medium)
Published
2024-06-04
Title
Download Manager < 3.2.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode
Fixed in
Fixed in 3.2.94
CVSS
6.4 (medium)
Published
2024-05-30
Title
Download Manager < 3.2.91 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode
Fixed in
Fixed in 3.2.91
CVSS
6.4 (medium)
Published
2024-03-16
Title
Download Manager < 3.2.85 - Contributor+ Stored XSS
Fixed in
Fixed in 3.2.85
CVSS
6.4 (medium)
Published
2024-02-28
Title
Download Manager < 3.2.86 - Contributor+ Stored XSS
Fixed in
Fixed in 3.2.86
CVSS
5.9 (medium)
Published
2024-02-28
Title
Download Manager < 3.2.85 - Unauthenticated File Download
Fixed in
Fixed in 3.2.85
CVSS
5.3 (medium)
Published
2023-11-29
Title
Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak
Fixed in
Fixed in 3.2.83
CVSS
5.3 (medium)
Published
2023-05-12
Title
Download Manager < 3.2.71 - Contributor+ Stored Cross-Site Scripting
Fixed in
Fixed in 3.2.71
CVSS
6.4 (medium)
Published
2023-05-08
Title
Download Manager < 3.2.71 - Broken Access Controls
Fixed in
Fixed in 3.2.71
CVSS
5.3 (medium)
Published
2023-04-10
Title
Download Manager Pro < 6.3.0 - Unauthenticated Sensitive Information Disclosure
Fixed in
Fixed in 6.3.0
CVSS
5.3 (medium)
Published
2022-12-20
Title
Download Manager < 3.2.62 - Contributor+ Stored XSS
Fixed in
Fixed in 3.2.62
CVSS
6.8 (medium)
Published
2022-11-27
Title
Download Manager < 3.2.60 - Reflected XSS
Fixed in
Fixed in 3.2.60
CVSS
7.1 (high)
Published
2022-09-05
Title
Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal
Fixed in
Fixed in 3.2.55
CVSS
6.2 (medium)
Published
2022-08-17
Title
Download Manager < 3.2.50 - Contributor+ PHAR Deserialization
Fixed in
Fixed in 3.2.50
CVSS
7.5 (high)
Published
2022-08-04
Title
Download Manager < 3.2.53 - Unauthenticated Reflected Cross-Site Scripting
Fixed in
Fixed in 3.2.53
CVSS
4.7 (medium)
Published
2022-08-03
Title
Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion
Fixed in
Fixed in 3.2.51
CVSS
8.1 (high)
Published
2022-08-02
Title
Download Manager < 3.2.49 - Clear Stats & Cache via CSRF
Fixed in
Fixed in 3.2.49
CVSS
4.3 (medium)
Published
2022-08-01
Title
Download Manager < 3.2.49 - Multiple CSRF
Fixed in
Fixed in 3.2.49
CVSS
5.4 (medium)
Published
2022-08-01
Title
Download Manager < 3.2.49 - Contributor+ Stored Cross-Site Scripting
Fixed in
Fixed in 3.2.49
CVSS
6.8 (medium)
Published
2022-08-01
Title
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction
Fixed in
Fixed in 3.2.50
CVSS
5.3 (medium)
Published
2022-06-27
Title
Download Manager < 3.2.44 - Reflected Cross-Site Scripting
Fixed in
Fixed in 3.2.44
CVSS
6.1 (medium)
Published
2022-06-27
Title
Download Manager < 3.2.44 - Unauthenticated Reflected Cross-Site Scripting
Fixed in
Fixed in 3.2.44
CVSS
6.1 (medium)
Published
2022-06-22
Title
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
Fixed in
Fixed in 3.2.48
CVSS
6.8 (medium)
Published
2022-06-02
Title
Download manager < 3.2.43 - Reflected Cross-Site Scripting
Fixed in
Fixed in 3.2.43
CVSS
6.1 (medium)
Published
2022-03-16
Title
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
Fixed in
Fixed in 3.2.39
CVSS
5.9 (medium)
Published
2022-02-02
Title
Wordpress Download Manager < 3.2.35 - Sensitive Information Disclosure
Fixed in
Fixed in 3.2.35
CVSS
8.6 (high)
Published
2022-01-20
Title
WordPress Download Manager < 3.2.34 - Authenticated SQL Injection to Reflected XSS
Fixed in
Fixed in 3.2.34
CVSS
6.1 (medium)
Published
2021-11-29
Title
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
Fixed in
Fixed in 3.2.22
CVSS
8.8 (high)
Published
2021-09-29
Title
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting
Fixed in
Fixed in 3.2.16
CVSS
3.5 (low)
Published
2021-08-09
Title
WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF
Fixed in
Fixed in 3.2.13
CVSS
4.3 (medium)
Published
2021-07-29
Title
WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal
Fixed in
Fixed in 3.1.25
CVSS
6.5 (medium)
Published
2021-07-29
Title
WordPress Download Manager < 3.1.25 - Authenticated File Upload
Fixed in
Fixed in 3.1.25
CVSS
5.0 (medium)
Published
2021-04-30
Title
Download Manager < 3.1.22 - Plugin Settings Change via CSRF
Fixed in
Fixed in 3.1.22
CVSS
6.3 (medium)
Published
2021-04-30
Title
Download Manager < 3.1.23 - Unauthorised Asset Manager Usage
Fixed in
Fixed in 3.1.23
CVSS
7.1 (high)
Published
2021-04-30
Title
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
Fixed in
Fixed in 3.1.19
CVSS
9.1 (critical)
Published
2021-04-17
Title
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
Fixed in
Fixed in 3.1.18
CVSS
5.3 (medium)
Published
2019-06-09
Title
Download Manager <= 2.9.96 - Various Sanitisation Issues
Fixed in
Fixed in 2.9.97
CVSS
n/a
Published
2019-04-17
Title
Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)
Fixed in
Fixed in 2.9.94
CVSS
6.1 (medium)
Published
2018-01-09
Title
Download Manager <= 2.9.60 - Cross-Site Request Forgery (CSRF)
Fixed in
Fixed in 2.9.61
CVSS
n/a
Published
2017-07-13
Title
Download Manager <= 2.9.49 - Cross-Site Scripting (XSS)
Fixed in
Fixed in 2.9.50
CVSS
6.1 (medium)
Published
2017-07-13
Title
Download Manager <= 2.9.50 - Open Redirect
Fixed in
Fixed in 2.9.51
CVSS
6.1 (medium)
Published
2017-06-16
Title
Download Manager <= 2.9.51 - Authenticated Reflected Cross-Site Scripting (XSS)
Fixed in
Fixed in 2.9.52
CVSS
6.1 (medium)
Published
2017-03-01
Title
Download Manager <= 2.9.45 - Cross-Site Request Forgery (CSRF)
Fixed in
Fixed in 2.9.46
CVSS
n/a
Published
2016-01-19
Title
Download Manager <= 2.8.7 - Multiple Vulnerabilities
Fixed in
Fixed in 2.8.8
CVSS
n/a
Published
2015-07-16
Title
Download Manager <= 2.7.94 - Authenticated Stored XSS
Fixed in
Fixed in 2.7.95
CVSS
n/a
Published
2014-12-03
Title
Download Manager <= 2.7.4 - Code Execution / Remote File Inclusion
Fixed in
Fixed in 2.7.5
CVSS
n/a
Published
2014-11-24
Title
Download Manager <= 2.7.2 - Privilege Escalation
Fixed in
Fixed in 2.7.3
CVSS
8.8 (high)
Published
2014-08-01
Title
Download Manager <= 2.2.2 - admin.php cid Parameter XSS
Fixed in
Fixed in 2.2.3
CVSS
n/a
Published
2014-08-01
Title
Download Manager <= 2.5.8 - Download Package file Parameter Stored XSS
Fixed in
Fixed in 2.5.9
CVSS
n/a