Plattform
wordpress
Komponente
cm-download-manager
Behoben in
2.9.7
CVE-2025-30910 describes an Arbitrary File Access vulnerability within the CM Download Manager, a WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths, bypassing intended access controls. The vulnerability impacts versions from 0.0.0 up to and including 2.9.6. A patch is available in version 2.9.7.
The Arbitrary File Access vulnerability allows an attacker to read any file accessible to the webserver user. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. The attacker could gain access to user data, intellectual property, or use the server as a launchpad for further attacks. While the vulnerability requires path manipulation, the potential impact is severe due to the wide range of files potentially accessible.
CVE-2025-30910 was publicly disclosed on April 1, 2025. As of this date, there are no known public proof-of-concept exploits. The vulnerability's simplicity suggests a potential for rapid exploitation if a PoC is released. It is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
WordPress websites utilizing the CM Download Manager plugin, particularly those with older versions (0.0.0 - 2.9.6), are at risk. Shared hosting environments where users have limited control over plugin installations are especially vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/cm-download-manager/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/cm-download-manager/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-30910 is to immediately upgrade CM Download Manager to version 2.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the potential impact of a successful exploit. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin CM Download Manager a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las notas de la versión del plugin para obtener instrucciones específicas de actualización. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles y validar las entradas del usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30910 is a vulnerability in CM Download Manager allowing attackers to read files by manipulating file paths. It has a HIGH severity rating and affects versions 0.0.0 through 2.9.6.
You are affected if your CM Download Manager plugin is running version 0.0.0 to 2.9.6. Check your plugin version and upgrade immediately.
Upgrade the CM Download Manager plugin to version 2.9.7 or later. If immediate upgrade is not possible, implement a WAF rule to block path traversal attempts.
As of the current date, there are no confirmed reports of active exploitation, but it's crucial to patch promptly to mitigate potential risk.
Refer to the official CM Download Manager website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.