{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3404", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-07T10:27:00.760Z", "datePublished": "2025-04-19T07:23:39.977Z", "dateUpdated": "2026-04-08T16:41:32.877Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:32.877Z"}, "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8f5be-b513-4040-af39-c1a61d7e313f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L56"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "timeline": [{"time": "2025-03-31T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-04-18T18:52:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-21T14:11:07.637024Z", "id": "CVE-2025-3404", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:11:45.109Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-21T14:11:07.637024Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-21T14:11:30.241Z"}}], "cna": {"title": "Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-31T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-04-18T18:52:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8f5be-b513-4040-af39-c1a61d7e313f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L56"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:32.877Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3404", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:32.877Z", "dateReserved": "2025-04-07T10:27:00.760Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-19T07:23:39.977Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento Download Manager para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n savePackage en todas las versiones hasta la 3.3.12 incluida. Esto permite que atacantes autenticados, con acceso de autor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-3404", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-19T08:15:13.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.12/src/Admin/Menu/Packages.php#L56"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21f8f5be-b513-4040-af39-c1a61d7e313f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T02:14:16.894812+00:00", "value": {"mitigation_remediation": ["Upgrade the Download Manager plugin to the newest release that resolves the path validation flaw.", "If an update cannot be applied immediately, revoke Author-level (and higher) roles from users or restrict access to the savePackage endpoint to prevent unauthorized deletions.", "Ensure that file system permissions for WordPress directories grant write access only to the necessary areas, minimizing the impact of any unintended delete operations."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion with potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the codename065 Download Manager plugin version 3.3.12 or earlier are affected. This includes the Up to 3.3.12 releases distributed through the official repository and any custom installations that have not been updated to a newer, corrected version.", "description_and_impact": "The Download Manager plugin permits authenticated users with Author-level or higher privileges to remove any file from the server due to inadequate file path validation in the savePackage routine. An attacker can target critical files such as wp-config.php, enabling remote code execution or complete site compromise. The flaw is a classic Path Traversal issue, classified as CWE-22, and grants destructive capabilities that surpass typical author functions.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high severity, while an EPSS score of 2% indicates that exploitation is unlikely but possible. Because the vulnerability requires authenticated access at the author level, threat actors must first compromise or impersonate a legitimate user before deleting files. The flaw is not currently listed in the CISA KEV catalog, but the potential for remote code execution makes it highly critical for organizations that rely on this plugin."}}}}, "created": "2026-04-28T02:15:18.703866+00:00", "updated": "2026-04-28T02:15:18.703878+00:00", "vendors": []}