WordPress Plugin Vulnerabilities

Download Manager < 3.3.53 - Missing Authorization

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.3.52. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.3.53

References

CVE
CVE-2026-39676
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5c652be-ea24-4fbe-aa88-ea1f8814d34a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
629dba08-0ac4-498f-9f14-c7c36fc69357

Timeline

Publicly Published
2026-02-19 (about 2 months ago)
Added
2026-04-15 (about 27 days ago)
Last Updated
2026-04-15 (about 27 days ago)

Other

Published
Title
Published
2024-12-17
Title
WPLMS < 1.9.9.1 - Missing Authorization to Unauthenticated User Token Generation
Published
2025-10-31
Title
Bard <= 2.229 - Missing Authorization
Published
2024-09-24
Title
Uncanny Groups for LearnDash < 6.1.1 - Authenticated (Group Leader+) Privilege Escalation
Published
2025-07-21
Title
bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint
Published
2025-11-19
Title
Basel < 5.9.2 - Missing Authorization