{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2419", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T20:02:47.756Z", "datePublished": "2026-02-18T07:25:39.503Z", "dateUpdated": "2026-04-08T16:34:55.555Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:55.555Z"}, "affected": [{"vendor": "gamerz", "product": "WP-DownloadManager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.69", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality."}], "title": "WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb96da1-9c17-4264-ac29-b5ff8dec745d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-options.php#L42"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download-options.php#L42"}, {"url": "https://github.com/lesterchan/wp-downloadmanager/commit/416b9f5459496166c0395f9e055d4c4cf872404a"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sunnatillo Abdivasiyev"}], "timeline": [{"time": "2026-02-12T20:17:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T19:12:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:09.884292Z", "id": "CVE-2026-2419", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:40.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2419", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:09.884292Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:10.761Z"}}], "cna": {"title": "WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Sunnatillo Abdivasiyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "gamerz", "product": "WP-DownloadManager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.69"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-12T20:17:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T19:12:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb96da1-9c17-4264-ac29-b5ff8dec745d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-options.php#L42"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download-options.php#L42"}, {"url": "https://github.com/lesterchan/wp-downloadmanager/commit/416b9f5459496166c0395f9e055d4c4cf872404a"}], "descriptions": [{"lang": "en", "value": "The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:55.555Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2419", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:55.555Z", "dateReserved": "2026-02-12T20:02:47.756Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:39.503Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality."}, {"lang": "es", "value": "El plugin WP-DownloadManager para WordPress es vulnerable a salto de ruta en todas las versiones hasta la 1.69, inclusive, a trav\u00e9s del par\u00e1metro de configuraci\u00f3n 'download_path'. Esto se debe a una validaci\u00f3n insuficiente de la configuraci\u00f3n de la ruta de descarga, lo que permite que las secuencias de salto de directorio eludan la verificaci\u00f3n de prefijo WP_CONTENT_DIR. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, configuren el plugin para listar y acceder a archivos arbitrarios en el servidor explotando la funcionalidad del navegador de archivos."}], "id": "CVE-2026-2419", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:15.817", "references": [{"source": "security@wordfence.com", "url": "https://github.com/lesterchan/wp-downloadmanager/commit/416b9f5459496166c0395f9e055d4c4cf872404a"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download-options.php#L42"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-options.php#L42"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb96da1-9c17-4264-ac29-b5ff8dec745d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.69]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "WP-DownloadManager", "source": "cna", "vendor": "gamerz"}, "product": "wp-downloadmanager", "vendor": "gamerz"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:22:32.778232+00:00", "value": {"mitigation_remediation": ["Update WP\u2011DownloadManager to version 1.70 or later to remove the traversal bug", "If an upgrade is not immediately possible, delete or disable the plugin\u2019s file browser feature and remove the download_path configuration", "Restrict administrator access and enforce a whitelist of permissible directories for download_path to mitigate future attempts", "Audit and monitor configuration changes in the plugin for unauthorized modifications"], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure via arbitrary file read"}, "threat_synthesis": {"affected_systems": "The WP\u2011DownloadManager plugin for WordPress versions up to and including 1.69 is affected; the vendor is gamerz:WP-DownloadManager. All installations of these plugin versions that expose the file browser functionality are vulnerable.", "description_and_impact": "The vulnerability allows an authenticated administrator to configure the plugin\u2019s download_path parameter with directory traversal sequences that bypass a prefix check, enabling the listing and reading of any file on the server. This constitutes a path traversal flaw (CWE\u201122) that can expose sensitive configuration files, credentials, or code, thereby compromising confidentiality and potentially increasing the attack surface for further exploitation. Only users with Administrator level or higher privileges can trigger the flaw, so the attack requires legitimate site access.", "risk_and_exploitability": "The CVSS score is 2.7, indicating low overall severity, and the EPSS score is less than 1%, reflecting a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be initiated by an authenticated administrator who modifies the download_path value, exploiting the insufficient validation. While the technical barrier is low for an attacker with admin access, the overall risk remains modest due to the restricted privilege requirement and low exploitation probability."}}}}, "created": "2026-02-18T10:32:32.982373+00:00", "updated": "2026-04-15T20:30:13.775864+00:00", "vendors": ["gamerz", "gamerz$PRODUCT$wp-downloadmanager", "wordpress", "wordpress$PRODUCT$wordpress"]}