CVE-2025-60092
📋 TL;DR
This vulnerability in Shahjada Download Manager WordPress plugin allows unauthorized users to retrieve embedded sensitive system information. It affects all WordPress sites using Download Manager plugin versions up to 3.3.24. Attackers can access data that should be protected from public view.
💻 Affected Systems
- Shahjada Download Manager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive system information, configuration details, or credentials that could enable further attacks against the WordPress installation or underlying infrastructure.
Likely Case
Unauthorized users access internal system information, plugin configurations, or metadata that reveals details about the WordPress environment.
If Mitigated
With proper access controls and network segmentation, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires understanding of WordPress plugin structure and access to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.3.24
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Download Manager plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin
6. Install latest version from WordPress repository
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily deactivate Download Manager plugin until patched version is available
wp plugin deactivate download-manager
🧯 If You Can't Patch
- Implement web application firewall rules to block access to vulnerable plugin endpoints
- Restrict access to WordPress admin area using IP whitelisting or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Download Manager version 3.3.24 or earlierCheck Version:
wp plugin get download-manager --field=versionVerify Fix Applied:
Verify plugin version is higher than 3.3.24 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to download-manager plugin endpoints
- Requests to sensitive data endpoints from unauthorized IPs
Network Indicators:
- HTTP requests to /wp-content/plugins/download-manager/ with unusual parameters
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/download-manager/" AND NOT user_agent="WordPress")