平台
wordpress
组件
wp-downloadmanager
修复版本
1.69.1
CVE-2026-2419 is a Path Traversal vulnerability affecting the WP-DownloadManager plugin for WordPress. This flaw allows authenticated administrators to bypass security checks and access arbitrary files on the server by manipulating the 'download_path' configuration parameter. The vulnerability impacts versions 0.0.0 through 1.69, and a patch is available in version 1.69.1.
Successful exploitation of CVE-2026-2419 allows an authenticated administrator to read sensitive files from the web server's file system. This could include configuration files containing database credentials, API keys, or other sensitive information. While requiring administrator privileges, the ease of exploitation makes this a significant risk, particularly for WordPress sites with poorly configured user roles. The potential blast radius extends to any data accessible by the web server process, potentially exposing the entire system to compromise. This vulnerability shares similarities with other path traversal exploits where attackers leverage misconfigured file paths to gain unauthorized access.
CVE-2026-2419 was published on 2026-02-18. Its CVSS score of 2.7 indicates a low severity. There are currently no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates.
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-2419 is to immediately upgrade the WP-DownloadManager plugin to version 1.69.1 or later. If upgrading is not immediately feasible, consider restricting administrator access to the plugin's configuration settings. Implement a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences (e.g., ../) in the 'download_path' parameter. Regularly review WordPress plugin configurations and ensure proper file permissions are in place to limit the potential impact of such vulnerabilities. After upgrading, confirm the fix by attempting to access a file outside the intended download directory via the plugin's file browser.
更新到 1.69.1 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2419 is a Path Traversal vulnerability in the WP-DownloadManager WordPress plugin, allowing authenticated administrators to access arbitrary files on the server due to insufficient validation of the download path.
You are affected if you are using WP-DownloadManager versions 0.0.0 through 1.69. Check your plugin version and upgrade immediately if vulnerable.
Upgrade WP-DownloadManager to version 1.69.1 or later. As a temporary workaround, restrict administrator access to the plugin's configuration settings and implement WAF rules to block directory traversal attempts.
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-2419, but it's crucial to apply the patch promptly to mitigate potential future risks.
Refer to the official WP-DownloadManager website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2026-2419.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。