WordPress Plugin Vulnerabilities

Download Manager < 3.3.50 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.3.50

References

CVE
CVE-2026-2571
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3efaa0d-8af6-4cdf-9225-8bbcfdbb73d3

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Quốc Huy (jtwings)
Verified
No
WPVDB ID
01735d74-7e6c-4164-9309-652140cb6dc1

Timeline

Publicly Published
2026-03-18 (about 1 month ago)
Added
2026-03-18 (about 1 month ago)
Last Updated
2026-03-19 (about 1 month ago)

Other

Published
Title
Published
2024-03-05
Title
Backup and Restore WordPress < 1.50 - Unauthenticated Sensitive Data Exposure
Published
2025-11-09
Title
WooCommerce Ultimate Points And Rewards < 2.10.3 - Authenticated (Subscriber+) Information Exposure
Published
2026-04-17
Title
Easy Appointments < 3.12.22 - Unauthenticated Sensitive Information Exposure via REST API
Published
2024-07-12
Title
Zephyr Project Manager < 3.3.100 - Unauthenticated Information Exposure
Published
2026-04-29
Title
Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure