CVE-2026-2419 in WP-DownloadManager Plugin
Summary
by MITRE • 02/18/2026
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified in CVE-2026-2419 affects the WP-DownloadManager plugin for WordPress, representing a critical path traversal flaw that has been present in all versions up to and including 1.69. This vulnerability stems from inadequate input validation within the plugin's configuration handling mechanism, specifically concerning the 'download_path' parameter. The flaw allows authenticated attackers with administrator-level privileges to manipulate the plugin's file access behavior through maliciously crafted directory traversal sequences.
The technical implementation of this vulnerability exploits the insufficient validation of the download path setting, which fails to properly sanitize user-supplied input before incorporating it into file system operations. When an attacker configures the plugin's 'download_path' parameter, the system does not adequately verify that the specified path remains within the intended WP_CONTENT_DIR prefix boundaries. This oversight enables the bypass of directory traversal protections that are typically enforced by WordPress core security mechanisms, allowing attackers to craft malicious paths that can traverse outside of the designated download directory.
The operational impact of this vulnerability is severe and directly enables unauthorized file access and potential data exfiltration. An attacker with administrator-level access can leverage this flaw to configure the plugin's file browser functionality to enumerate and access arbitrary files on the compromised server. This includes potentially sensitive files such as configuration files, database credentials, user information, and other system resources that should remain protected from unauthorized access. The vulnerability essentially provides a backdoor mechanism for attackers to bypass normal file access controls and potentially escalate their compromise further.
The flaw aligns with CWE-22, which specifically addresses path traversal vulnerabilities, and demonstrates how inadequate input validation can create security holes that allow attackers to access files outside of intended directories. From an attack perspective, this vulnerability maps to ATT&CK technique T1078.004, which covers valid accounts with administrative privileges, as it requires an attacker to already possess administrator-level access to exploit the vulnerability. However, the impact is amplified because the attacker can then use this access to perform unauthorized file system operations that would otherwise be restricted.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the path traversal flaw, as well as implementing additional security measures such as restricting file system access permissions for the WordPress installation directory. Administrators should also consider implementing network-level restrictions and monitoring for unusual file access patterns that might indicate exploitation attempts. Regular security audits and input validation reviews should be conducted to prevent similar issues in other plugins or custom code implementations. Organizations should also consider implementing web application firewalls and additional access controls to minimize the impact of potential compromises. The vulnerability underscores the critical importance of proper input validation and sanitization in web applications, particularly when dealing with file system operations and user-supplied parameters that can influence path resolution.