WordPress Plugin Vulnerabilities

Download Manager < 3.3.31 - Unauthenticated Cron Trigger due to Hardcoded Cron Key

Description

The plugin is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

Affects Plugins

Plugin icon
download-manager
Fixed in 3.3.31

References

CVE
CVE-2025-12177
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5e

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Jack Pas (Dark.)
Verified
No
WPVDB ID
e8ea5579-5bcd-413a-b7bc-51e68dff3d4d

Timeline

Publicly Published
2025-11-07 (about 6 months ago)
Added
2025-11-07 (about 6 months ago)
Last Updated
2025-11-07 (about 6 months ago)

Other

Published
Title
Published
2025-07-30
Title
HT Mega – Absolute Addons For Elementor < 2.9.2 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions
Published
2025-10-31
Title
Folderly < 0.3.1 - Incorrect Authorization to Authenticated (Author+) Term Deletion
Published
2025-07-01
Title
Soumettre.fr <= 2.1.5 - Unauthenticated Soumettre Posts Creation/Modification/Deletion
Published
2023-05-12
Title
WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks
Published
2024-12-16
Title
Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass