CVE-2026-2571 in Download Manager Plugin
Summary
by MITRE • 03/19/2026
The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/19/2026
The vulnerability identified as CVE-2026-2571 resides within the Download Manager plugin for WordPress, a widely used component for managing file downloads on web platforms. This security flaw represents a critical authorization bypass issue that fundamentally undermines the integrity of user data protection mechanisms within the WordPress ecosystem. The vulnerability specifically affects all versions of the plugin up to and including version 3.3.49, leaving countless WordPress installations exposed to potential exploitation by malicious actors who possess minimal privileges.
The technical core of this vulnerability lies in the improper implementation of access control measures within the 'reviewUserStatus' function. This function, which should serve as a protective barrier for sensitive user information, fails to perform adequate capability checks before allowing data retrieval operations. The absence of proper authorization validation creates a direct pathway for authenticated users to access information they should not be permitted to view, effectively bypassing the intended security boundaries that separate user roles within WordPress's capability system. This flaw operates under the weakness category defined by CWE-285, which addresses improper authorization issues in software systems.
The operational impact of this vulnerability extends far beyond simple information disclosure, as it enables attackers with Subscriber-level privileges or higher to systematically harvest sensitive user data from targeted WordPress sites. The compromised information includes email addresses, display names, and registration dates, which collectively represent valuable intelligence for social engineering attacks, account takeover attempts, and broader reconnaissance activities. Attackers can leverage this data to craft targeted phishing campaigns, identify potential account recovery targets, or build comprehensive profiles of site users for more sophisticated attack vectors. The vulnerability's exploitation does not require elevated privileges beyond basic user access, making it particularly dangerous as it can be exploited by any authenticated user who has registered on the platform.
This vulnerability directly aligns with several ATT&CK framework techniques including T1078 Valid Accounts and T1566 Impersonation, as it allows attackers to leverage legitimate user credentials to access unauthorized data. The missing capability check represents a fundamental breakdown in the principle of least privilege, where the system fails to properly enforce role-based access controls that should prevent lower-level users from accessing higher-level data. Organizations relying on the Download Manager plugin without proper patching face significant risk of data breaches, compliance violations, and potential legal consequences due to unauthorized access to user information.
The recommended mitigations for this vulnerability include immediate patching to version 3.3.50 or later, which should contain the necessary capability checks to prevent unauthorized access to user status information. System administrators should also implement additional monitoring measures to detect unusual access patterns or data retrieval activities that might indicate exploitation attempts. Regular security audits of WordPress plugins and themes should be conducted to identify similar authorization flaws, while implementing network-level controls such as intrusion detection systems to monitor for potential exploitation attempts. Organizations should also consider implementing more robust user access controls and regularly reviewing user capabilities to ensure that the principle of least privilege is properly enforced across all system components.