Platform
wordpress
Component
download-manager
Fixed in
3.3.13
CVE-2025-3404 affects the WordPress Download Manager plugin, allowing authenticated attackers to delete arbitrary files on the server. This vulnerability stems from insufficient file path validation within the plugin's savePackage function. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. Versions 0.0.0 through 3.3.12 are vulnerable.
The primary impact of CVE-2025-3404 is the potential for remote code execution. An attacker with Author-level access or higher can leverage this vulnerability to delete any file accessible by the web server process. Deleting wp-config.php, for example, would effectively disable the WordPress site and allow the attacker to potentially overwrite the file with malicious code upon site recovery, granting them full control. This is a severe risk, as it bypasses standard authentication mechanisms and allows for persistent compromise. The ease of exploitation, combined with the potential for complete site takeover, makes this a high-priority vulnerability.
CVE-2025-3404 was publicly disclosed on April 19, 2025. There is currently no indication of this vulnerability being actively exploited in the wild, but the ease of exploitation and the potential impact warrant immediate attention. No public proof-of-concept (PoC) code has been released, but the vulnerability is straightforward to understand and exploit, increasing the likelihood of exploitation if left unpatched. This vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
2.02% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3404 is to upgrade the WordPress Download Manager plugin to a version that addresses the file path validation issue. Unfortunately, a fixed version is not yet available. As a temporary workaround, restrict file upload permissions for users with Author-level access or higher. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious file paths or patterns related to file deletion operations. Regularly monitor server logs for any unusual file deletion activity. After applying any mitigation steps, verify the plugin's functionality and security by attempting to access and delete files with different user roles.
Update the Download Manager plugin to a patched version (greater than 3.3.12) to mitigate the arbitrary file deletion vulnerability. Ensure you perform a full backup of your website before updating the plugin. Verify that automatic plugin updates are enabled or perform updates manually on a regular basis.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3404 is a vulnerability in the WordPress Download Manager plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–3.3.12 and has a CVSS score of 8.8 (HIGH).
If you are using the WordPress Download Manager plugin in version 0.0.0 through 3.3.12, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade the WordPress Download Manager plugin to a patched version. As no patch is currently available, implement workarounds like restricting file upload permissions and using a WAF.
There is currently no confirmed evidence of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention and mitigation.
Refer to the WordPress security announcements page for updates and advisories related to this vulnerability: https://wordpress.org/news/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.