Platform
wordpress
Component
cm-download-manager
Fixed in
2.9.7
CVE-2025-30910 describes an Arbitrary File Access vulnerability within the CM Download Manager, a WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths, bypassing intended access controls. The vulnerability impacts versions from 0.0.0 up to and including 2.9.6. A patch is available in version 2.9.7.
The Arbitrary File Access vulnerability allows an attacker to read any file accessible by the web server process. This could include configuration files containing database credentials, private keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. The attacker could exfiltrate this data, modify it, or use it as a stepping stone for further attacks, such as gaining shell access. While not directly leading to remote code execution, the information gained could be leveraged to identify and exploit other vulnerabilities.
CVE-2025-30910 was publicly disclosed on April 1, 2025. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for sensitive data exposure.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30910 is to immediately upgrade the CM Download Manager plugin to version 2.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to the web server user only. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface.
Actualice el plugin CM Download Manager a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las notas de la versión del plugin para obtener instrucciones específicas de actualización. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles y validar las entradas del usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30910 is a vulnerability in CM Download Manager allowing attackers to read files by manipulating file paths. It has a HIGH severity rating and affects versions 0.0.0 through 2.9.6.
You are affected if your CM Download Manager plugin is running version 0.0.0 to 2.9.6. Check your plugin version and upgrade immediately.
Upgrade the CM Download Manager plugin to version 2.9.7 or later. If immediate upgrade is not possible, implement a WAF rule to block path traversal attempts.
As of the current date, there are no confirmed reports of active exploitation, but it's crucial to patch promptly to mitigate potential risk.
Refer to the official CM Download Manager website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.