WordPress Plugin Vulnerabilities

Download Manager < 3.3.33 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.3.33

References

CVE
CVE-2025-13498
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cdd50d-6290-4cef-a72c-2e9d680d4f1f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
4916253f-9a7f-4b28-bf00-37c40ea7a110

Timeline

Publicly Published
2025-12-17 (about 4 months ago)
Added
2025-12-17 (about 4 months ago)
Last Updated
2025-12-18 (about 4 months ago)

Other

Published
Title
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Activation
Published
2025-12-11
Title
BuddyTask < 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation
Published
2022-07-22
Title
WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion
Published
2023-12-26
Title
Sirv < 7.1.3 - Missing Authorization via sirv_disconnect
Published
2023-11-15
Title
WP Like Button <= 1.7.0 - Missing Authorization via crublabFBLBAjax