Plattform
wordpress
Komponente
wp-downloadmanager
Behoben in
1.69.1
CVE-2026-2419 is a Path Traversal vulnerability affecting the WP-DownloadManager plugin for WordPress. This flaw allows authenticated administrators to bypass security checks and access arbitrary files on the server by manipulating the 'download_path' configuration parameter. The vulnerability impacts versions 0.0.0 through 1.69, and a patch is available in version 1.69.1.
The Path Traversal vulnerability in WP-DownloadManager allows an authenticated administrator to bypass security controls and access files outside of the intended download directory. By crafting malicious directory traversal sequences within the 'download_path' setting, an attacker can potentially read sensitive configuration files, source code, or other critical data stored on the server. This could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can access files containing executable code. The impact is amplified if the server stores sensitive data in plain text or if the attacker can leverage the accessed files to compromise other systems.
CVE-2026-2419 was publicly disclosed on 2026-02-18. No public proof-of-concept exploits are currently known. The EPSS score is likely low due to the requirement for administrator access and the relatively simple nature of the exploit. It has not been added to the CISA KEV catalog as of this writing.
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2419 is to immediately update the WP-DownloadManager plugin to version 1.69.1 or later. If upgrading is not immediately feasible, consider restricting administrator access to the plugin's configuration settings. Implement a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences (e.g., '../') in the 'downloadpath' parameter. Regularly review file permissions and ensure that sensitive files are not accessible to the web server user. After upgrading, confirm the fix by attempting to access a file outside the intended download directory using a directory traversal sequence in the 'downloadpath' parameter; the request should be denied.
Aktualisieren Sie auf Version 1.69.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2419 is a Path Traversal vulnerability in the WP-DownloadManager WordPress plugin, allowing authenticated administrators to access arbitrary files on the server due to insufficient validation of the download path.
You are affected if you are using WP-DownloadManager versions 0.0.0 through 1.69. Check your plugin version and upgrade immediately if vulnerable.
Upgrade WP-DownloadManager to version 1.69.1 or later. As a temporary workaround, restrict administrator access to the plugin's configuration settings and implement WAF rules to block directory traversal attempts.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-2419, but it's crucial to apply the patch promptly to mitigate potential future risks.
Refer to the official WP-DownloadManager website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-2419.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.