CVE-2025-10146
📋 TL;DR
The Download Manager WordPress plugin up to version 3.3.23 contains a reflected cross-site scripting vulnerability in the 'user_ids' parameter. Unauthenticated attackers can inject malicious scripts that execute when users click specially crafted links. This affects all WordPress sites using vulnerable versions of the Download Manager plugin.
💻 Affected Systems
- WordPress Download Manager plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to complete site compromise.
Likely Case
Attackers would typically use this to steal user session cookies or credentials through phishing-style attacks targeting users who click malicious links.
If Mitigated
With proper web application firewalls and user education about suspicious links, impact would be limited to unsuccessful phishing attempts.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious links but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.3.24 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Download Manager and click 'Update Now'. 4. Verify update to version 3.3.24 or higher.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests.
Disable vulnerable feature
WordPressTemporarily disable the Download Manager plugin until patched.
wp plugin deactivate download-manager
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy a web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Download Manager version 3.3.23 or earlier.Check Version:
wp plugin get download-manager --field=versionVerify Fix Applied:
Verify Download Manager plugin version is 3.3.24 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing script tags or JavaScript in 'user_ids' parameter
- Unusual GET requests to download-manager stats/history endpoints
Network Indicators:
- Malicious URLs containing script payloads in parameters
- Requests with encoded JavaScript in query strings
SIEM Query:
source="web_logs" AND uri_path="/wp-content/plugins/download-manager/" AND query_string="*user_ids=*script*"