CVE-2026-2426
📋 TL;DR
The WP-DownloadManager plugin for WordPress has a path traversal vulnerability that allows authenticated administrators to delete arbitrary files on the server. This can lead to remote code execution if critical files like wp-config.php are deleted. All WordPress sites using this plugin up to version 1.69 are affected.
💻 Affected Systems
- WP-DownloadManager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution after deleting wp-config.php or other critical files, leading to data theft, defacement, or malware installation.
Likely Case
Site disruption or data loss from deletion of important files, potentially causing downtime or requiring restoration from backups.
If Mitigated
Limited impact if proper file permissions and access controls prevent deletion of critical system files.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is well-documented with public proof-of-concept available in commit references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.69
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php
Restart Required: No
Instructions:
1. Update WP-DownloadManager plugin to latest version via WordPress admin panel. 2. Alternatively, download and install latest version from WordPress plugin repository. 3. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable WP-DownloadManager plugin until patched
wp plugin deactivate wp-downloadmanager
Restrict Administrator Access
allLimit administrator accounts to trusted users only and implement strong authentication
🧯 If You Can't Patch
- Implement strict file permissions on critical files (e.g., wp-config.php set to 400 or 440)
- Monitor and audit administrator account activity for suspicious file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > WP-DownloadManager version. If version is 1.69 or lower, you are vulnerable.Check Version:
wp plugin list --name=wp-downloadmanager --field=versionVerify Fix Applied:
After updating, verify plugin version is higher than 1.69. Check that file deletion functionality no longer accepts directory traversal sequences.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in WordPress logs
- Multiple failed file deletion attempts with traversal sequences
- Administrator account performing unexpected file operations
Network Indicators:
- HTTP POST requests to download-manager.php with 'file' parameter containing '../' sequences
SIEM Query:
source="wordpress.log" AND "download-manager.php" AND "file=" AND ("../" OR "..\")🔗 References
- https://github.com/lesterchan/wp-downloadmanager/commit/d3470a8971d9043438c8aad281cf37d14fefa208
- https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download-manager.php#L215
- https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php#L215
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f791dd-7c24-45e3-b4f6-b8d7e594c568?source=cve
