CVE-2025-12177

5.3 MEDIUM

Authentication Bypass

📋 TL;DR

The Download Manager WordPress plugin contains a hardcoded cron key vulnerability that allows unauthenticated attackers to trigger deletion of expired posts and cache clearing. This affects all WordPress sites using Download Manager versions up to 3.3.30. Attackers can disrupt website functionality by removing content without authentication.

💻 Affected Systems

Products:

• WordPress Download Manager Plugin

Versions: All versions up to and including 3.3.30

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of expired content and cached data, potentially disrupting website functionality and user experience if critical posts are deleted.

🟠

Likely Case

Intermittent content loss and cache clearing causing temporary website performance issues and broken links.

🟢

If Mitigated

Minimal impact with proper monitoring and backups in place to restore deleted content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP requests to trigger cron endpoints with hardcoded key.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.31

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390068%40download-manager&new=3390068%40download-manager&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Download Manager plugin
4. Click 'Update Now' if update available
5. Alternatively, download version 3.3.31+ from WordPress repository
6. Deactivate old version and upload new version
7. Activate updated plugin

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the Download Manager plugin until patched

Block Cron Endpoints

linux

Use web application firewall or .htaccess to block access to plugin cron endpoints

Copy

# Add to .htaccess
RewriteEngine On
RewriteCond %{REQUEST_URI} .*download-manager.*cron.* [NC]
RewriteRule .* - [F,L]

🧯 If You Can't Patch

• Implement strict network controls to block external access to WordPress cron endpoints
• Enable comprehensive logging and monitoring for unauthorized deletion events

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin → Plugins → Installed Plugins for Download Manager version. If version is 3.3.30 or lower, system is vulnerable.

Check Version:

Copy

wp plugin list --name=download-manager --field=version

Verify Fix Applied:

Copy

Verify plugin version is 3.3.31 or higher in WordPress admin panel. Test cron endpoints return 403/404 instead of executing functions.

📡 Detection & Monitoring

Log Indicators:

• HTTP requests to /wp-content/plugins/download-manager/*cron* endpoints
• Unauthenticated POST requests triggering deleteExpired or clearTempDataCPCron functions
• Sudden increase in post deletion or cache clearing events

Network Indicators:

• Unusual traffic patterns to plugin cron endpoints from external IPs
• HTTP requests containing hardcoded cron key parameter

SIEM Query:

Copy

source="web_logs" AND (uri="*download-manager*cron*" OR user_agent="*cron*" OR params="*cron_key*") AND status=200

📊 Metadata

CVE ID: CVE-2025-12177

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-321

EPSS Score: 0.12% exploit probability (31.1th percentile)

Published: November 8, 2025

Last Updated: November 12, 2025

🔗 References

• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390068%40download-manager&new=3390068%40download-manager&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5e?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12177, you might also want to check these:

CVE-2024-30207 10.0

This vulnerability affects multiple SIMATIC RTLS Locating Manager products where communication betwe...

Same vulnerability type (CWE-321)

CVE-2025-34256 9.8

This vulnerability allows remote unauthenticated attackers to forge JWT tokens using a hard-coded cr...

Same vulnerability type (CWE-321)

CVE-2026-25894 9.8

An insecure default configuration in FUXA web-based SCADA/HMI software allows unauthenticated remote...

Same vulnerability type (CWE-321)