WP-DownloadManager < 1.68.11 – Admin+ Arbitrary File Deletion | CVE 2025-4799 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.

Affects Plugins

wp-downloadmanager

Fixed in 1.68.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f9d9e485-171f-4e36-943d-397d540e31f4

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Jamshed Yergashvoyev (CVE Guy)

Verified

No

WPVDB ID

4b5d6cd1-3bf0-4533-8678-237a06fc4dc7

Timeline

Publicly Published

2025-06-10 (about 1 year ago)

Added

2025-06-11 (about 1 year ago)

Last Updated

2025-06-11 (about 1 year ago)

Other

Published

Title

Published

2025-11-20

Title

简数采集器 < 2.6.4 - Authenticated (Admin+) Arbitrary File Read

Published

2025-07-14

Title

Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.7 - Missing Authorization to Unauthenticated Arbitrary File Deletion

Published

2025-07-06

Title

WP Pipes <= 1.4.3 - Unauthenticated Arbitrary File Deletion

Published

2023-03-28

Title

Easy Media Replace < 0.2.0 - Author+ File Deletion

Published

2022-08-08

Title

Export All URLs < 4.4 - Admin+ Arbitrary System File Removal