Plattform
wordpress
Komponente
download-manager
Behoben in
3.3.13
CVE-2025-3404 affects the WordPress Download Manager plugin, allowing authenticated attackers to delete arbitrary files on the server. This vulnerability stems from insufficient file path validation within the plugin's savePackage function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. Versions 0.0.0 through 3.3.12 are vulnerable.
The primary impact of CVE-2025-3404 is the potential for remote code execution. By deleting critical files, an attacker can gain control of the WordPress site and potentially the underlying server. The vulnerability stems from insufficient file path validation within the savePackage function. An attacker can craft a malicious request to specify a file path outside of the intended directory, leading to its deletion. Deleting wp-config.php is a particularly dangerous scenario, as it contains sensitive database credentials and configuration settings, allowing the attacker to completely compromise the site. This vulnerability shares similarities with other file deletion vulnerabilities where improper input validation allows attackers to bypass security controls.
CVE-2025-3404 was publicly disclosed on April 19, 2025. As of this date, there are no known public proof-of-concept exploits. The vulnerability's CVSS score of 8.8 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation and potential impact warrant immediate attention.
WordPress sites utilizing the Download Manager plugin, particularly those with multiple users having Author or higher roles, are at significant risk. Shared hosting environments where users have elevated privileges are also particularly vulnerable, as an attacker could potentially compromise the entire hosting account.
• wordpress / composer / npm:
grep -r 'savePackage' /var/www/html/wp-content/plugins/download-manager/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/download-manager/savePackage.php?file=../../../../wp-config.php' # Attempt to access wp-config.php• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'download-manager'• wordpress / composer / npm:
wp plugin list --status=active | grep 'download-manager'disclosure
Exploit-Status
EPSS
2.02% (84% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3404 is to upgrade the WordPress Download Manager plugin to a version that addresses the vulnerability. The vendor has not yet released a fixed version, so immediate action is required. As a temporary workaround, restrict file upload permissions for users with Author-level access or higher. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious file paths or attempts to access sensitive files. Carefully review and audit all file upload and modification processes within the plugin to identify and address any potential vulnerabilities. After upgrading, verify the fix by attempting to delete a non-critical file using a crafted request and confirming that the deletion is prevented.
Actualice el plugin Download Manager a una versión corregida (superior a 3.3.12) para mitigar la vulnerabilidad de eliminación arbitraria de archivos. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el plugin. Verifique que las actualizaciones automáticas de plugins estén habilitadas o realice las actualizaciones manualmente de forma regular.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3404 is a vulnerability in the WordPress Download Manager plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–3.3.12 and has a CVSS score of 8.8 (HIGH).
If you are using the WordPress Download Manager plugin in version 0.0.0 through 3.3.12, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade the WordPress Download Manager plugin to a patched version. As no patch is currently available, implement workarounds like restricting file upload permissions and using a WAF.
There is currently no confirmed evidence of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention and mitigation.
Refer to the WordPress security announcements page for updates and advisories related to this vulnerability: https://wordpress.org/news/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.