CVE-2025-15364 in Download Manager Plugin
Summary
by MITRE • 01/06/2026
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/06/2026
The vulnerability identified as CVE-2025-15364 affects the Download Manager plugin for WordPress, a widely used tool for managing file downloads on WordPress websites. This privilege escalation vulnerability exists in all versions up to and including 3.3.40, representing a critical security flaw that undermines the integrity of user authentication mechanisms. The vulnerability stems from inadequate input validation and user identity verification processes within the plugin's account management functionality, creating a pathway for unauthorized access to user accounts.
The technical flaw manifests in the plugin's failure to properly authenticate user identities before allowing modifications to user account details, particularly password changes. This validation gap enables unauthenticated attackers to exploit the system by crafting malicious requests that bypass normal authentication procedures. The vulnerability specifically targets the password update functionality, allowing attackers to modify user credentials without proper authorization. However, the flaw does not extend to administrator accounts, suggesting the plugin implements some level of role-based access control but fails to properly enforce it in the password modification workflow.
The operational impact of this vulnerability is severe as it creates a direct pathway for account takeover attacks that can compromise user data and system integrity. Attackers can leverage this vulnerability to gain unauthorized access to user accounts, potentially leading to data theft, content manipulation, or further exploitation of compromised accounts. The vulnerability affects all users except administrators, meaning that regular users, subscribers, and contributors remain at risk, which could result in widespread account compromise across a WordPress site. This type of vulnerability directly aligns with CWE-285, which addresses improper authorization issues in software systems, and represents a clear violation of the principle of least privilege.
The attack vector for this vulnerability follows the patterns outlined in the MITRE ATT&CK framework under privilege escalation techniques, specifically targeting credential access and account manipulation. An attacker can exploit this vulnerability by sending crafted requests to the plugin's password update endpoint, potentially using automated tools to brute force or directly manipulate the authentication flow. The vulnerability's persistence across multiple versions indicates a fundamental design flaw that has not been adequately addressed in the plugin's development lifecycle, suggesting insufficient security testing and code review processes were employed during development.
Mitigation strategies should focus on immediate plugin updates to versions that address the authentication bypass issue, along with comprehensive security assessments of the affected WordPress installation. System administrators should implement additional monitoring for unusual account activity and password change requests, while also ensuring proper network segmentation and access controls. The vulnerability highlights the importance of input validation and proper authentication mechanisms in web applications, aligning with security best practices outlined in OWASP Top Ten and NIST cybersecurity frameworks. Organizations should also consider implementing multi-factor authentication for critical user accounts and conducting regular security audits to identify similar vulnerabilities in other plugins and themes.