Unauthorized Access Vulnerability in Download Manager for WordPress
CVE-2025-13498

4.3MEDIUM

Key Information:

Vendor

WordPress
Status
Download Manager
Vendor
CVE Published:
18 December 2025

What is CVE-2025-13498?

The Download Manager plugin for WordPress contains a vulnerability that enables unauthorized access to sensitive information due to inadequate authorization and capability checks on the wpdm_media_access AJAX action. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to gain access to passwords and access control settings for protected media attachments, allowing them to bypass intended media protections and download restricted files. This vulnerability affects all versions of the plugin up to and including 3.3.32.

Affected Version(s)

Download Manager * <= 3.3.32

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/download-manag...
https://plugins.trac.wordpress.org/browser/download-manag...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M Indra Purnama
JSON
.
CVE-2025-13498 : Unauthorized Access Vulnerability in Download Manager for WordPress