Platform
wordpress
Component
download-manager
Fixed in
3.3.52
CVE-2026-4057 affects the Download Manager plugin for WordPress, a popular tool for managing downloadable files. This vulnerability allows authenticated users with Contributor-level access or higher to bypass ownership checks and modify media files, potentially stripping protection metadata. Versions of the plugin up to and including 3.3.51 are vulnerable, and a patch is available in version 3.3.52.
An attacker exploiting CVE-2026-4057 could gain unauthorized access to modify media files within a WordPress site. Specifically, they can strip protection metadata from media, potentially exposing sensitive information or altering the integrity of files. This could lead to data breaches, defacement of the website, or the distribution of malicious content. The impact is amplified if the affected media files contain confidential data or are critical for website functionality. While requiring authenticated access, the relatively low privilege level needed (Contributor) increases the potential attack surface, as many users on WordPress sites have this level of access.
CVE-2026-4057 was published on 2026-04-10. Its severity is rated as MEDIUM with a CVSS score of 4.3. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. Refer to the WordPress Download Manager security advisories and the NVD entry for further details.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4057 is to upgrade the WordPress Download Manager plugin to version 3.3.52 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the makeMediaPublic() and makeMediaPrivate() functions. This could involve modifying the plugin's code (with caution and thorough testing) to enforce stricter ownership checks. Additionally, review user permissions and ensure that users with Contributor access do not have unnecessary privileges. After upgrading, confirm the fix by attempting to modify media files with a Contributor-level user account; the operation should be denied.
Update to version 3.3.52, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a medium-severity vulnerability in the WordPress Download Manager plugin that allows authenticated users to modify media files without proper authorization.
If you're using WordPress Download Manager versions 0.0.0 through 3.3.51, you are potentially affected by this vulnerability.
Upgrade the WordPress Download Manager plugin to version 3.3.52 or later to resolve the issue. If immediate upgrade isn't possible, consider temporary code workarounds.
As of now, there are no publicly known exploits or active campaigns targeting CVE-2026-4057, but vigilance is still advised.
Refer to the WordPress Download Manager security advisories, the National Vulnerability Database (NVD) entry, and the WordPress security blog for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.