Platform
wordpress
Component
wp-downloadmanager
Fixed in
1.69.1
CVE-2026-2419 is a Path Traversal vulnerability affecting the WP-DownloadManager plugin for WordPress. This flaw allows authenticated administrators to bypass security checks and access arbitrary files on the server by manipulating the 'download_path' configuration parameter. The vulnerability impacts versions 0.0.0 through 1.69, and a patch is available in version 1.69.1.
Successful exploitation of CVE-2026-2419 allows an authenticated administrator to read sensitive files from the web server's file system. This could include configuration files containing database credentials, API keys, or other sensitive information. While requiring administrator privileges, the ease of exploitation makes this a significant risk, particularly for WordPress sites with poorly configured user roles. The potential blast radius extends to any data accessible by the web server process, potentially exposing the entire system to compromise. This vulnerability shares similarities with other path traversal exploits where attackers leverage misconfigured file paths to gain unauthorized access.
CVE-2026-2419 was published on 2026-02-18. Its CVSS score of 2.7 indicates a low severity. There are currently no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2419 is to immediately upgrade the WP-DownloadManager plugin to version 1.69.1 or later. If upgrading is not immediately feasible, consider restricting administrator access to the plugin's configuration settings. Implement a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences (e.g., ../) in the 'download_path' parameter. Regularly review WordPress plugin configurations and ensure proper file permissions are in place to limit the potential impact of such vulnerabilities. After upgrading, confirm the fix by attempting to access a file outside the intended download directory via the plugin's file browser.
Update to version 1.69.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2419 is a Path Traversal vulnerability in the WP-DownloadManager WordPress plugin, allowing authenticated administrators to access arbitrary files on the server due to insufficient validation of the download path.
You are affected if you are using WP-DownloadManager versions 0.0.0 through 1.69. Check your plugin version and upgrade immediately if vulnerable.
Upgrade WP-DownloadManager to version 1.69.1 or later. As a temporary workaround, restrict administrator access to the plugin's configuration settings and implement WAF rules to block directory traversal attempts.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-2419, but it's crucial to apply the patch promptly to mitigate potential future risks.
Refer to the official WP-DownloadManager website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-2419.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.