Privilege Escalation Vulnerability in Download Manager Plugin for WordPress
CVE-2025-15364

7.3HIGH

Key Information:

Vendor: WordPress
Status: Download Manager
Vendor: CVE Published:; 6 January 2026

What is CVE-2025-15364?

The Download Manager plugin for WordPress contains a vulnerability that allows unauthenticated attackers to execute a privilege escalation attack. This is initiated by exploiting inadequate identity verification when users attempt to update their account details, including passwords, in versions up to and including 3.3.40. By successfully performing this attack, adversaries can change user passwords (excluding administrators) and take control over user accounts, posing a significant security risk.

Affected Version(s)

Download Manager * <= 3.3.40

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/download-manag...

https://plugins.trac.wordpress.org/changeset/3431915/down...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 6, 2026
Vulnerability Reserved
Dec 30, 2025

Credit

Drew Webber

JSON