CVE-2026-4057

Summary

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic() and makeMediaPrivate() functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for edit_posts capability without verifying post ownership via current_user_can('edit_post', $id), and the destructive operations executing before the admin-level check in mediaAccessControl(). This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.

Affected Software

VendorProductVersion RangeStatus
codename065Download Manager0 <= 3.3.51affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References