Does Download Manager have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Download Manager compatible with WordPress 6.9.4?

According to WordPress.org data, Download Manager 3.3.54 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Download Manager updated?

Download Manager was last updated on Apr 15, 2026. Frequent updates are generally a positive security signal.

What is Download Manager's security score?

Download Manager has a WP-Safety security score of 76/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Download Manager Security & Risk Analysis

wordpress.org/plugins/download-manager

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K active installs v3.3.54 PHP + WP 5.3+ Updated Apr 15, 2026

digital-storedocument-managementdownload-managerecommercefile-manager

B · Generally Safe

CVEs total79

Unpatched0

Last CVEApr 9, 2026

Plugin page Download

Safety Verdict

Is Download Manager Safe to Use in 2026?

Mostly Safe

Score 76/100

Download Manager is generally safe to use. 79 past CVEs were resolved.

79 known CVEsLast CVE: Apr 9, 2026Updated 1mo ago

Risk Assessment

The "download-manager" plugin v3.3.51 presents a concerning security posture, primarily due to a significant attack surface with a high proportion of unprotected entry points. With 31 out of 81 total entry points lacking authentication checks, this plugin is highly susceptible to unauthorized access and execution of potentially malicious actions. The static analysis also reveals that a substantial percentage of output operations (61%) are not properly escaped, indicating a strong potential for Cross-Site Scripting (XSS) vulnerabilities, especially when combined with the number of unprotected AJAX handlers and REST API routes.

Taint analysis, while limited in scope (18 flows analyzed), did identify one high-severity flow. This, coupled with the history of 74 known CVEs, including critical and high-severity issues across various categories like Path Traversal, Code Injection, and Authentication Bypass, paints a worrying picture. The historical prevalence of these serious vulnerability types suggests a pattern of insecure coding practices within the plugin. While there are currently no unpatched CVEs, the sheer volume and nature of past vulnerabilities indicate a persistent risk.

Despite the presence of numerous file operations and external HTTP requests which can be sources of vulnerabilities if not handled correctly, the absence of dangerous functions and the use of prepared statements for a good portion of SQL queries are positive signs. However, these strengths are heavily outweighed by the significant attack surface lacking proper authorization and the historical trend of severe security flaws. The plugin's security is compromised by a lack of robust access control and output sanitization, demanding immediate attention and mitigation.

Key Concerns

High number of unprotected AJAX handlers
High number of unprotected REST API routes
High percentage of unescaped output
High severity taint flow identified
Significant number of past critical CVEs
Significant number of past high CVEs
Vulnerability history shows Path Traversal issues
Vulnerability history shows Code Injection issues
Vulnerability history shows Auth Bypass issues
Vulnerability history shows Improper Access Control issues

Vulnerabilities

79 published

Download Manager Security Vulnerabilities

CVEs by Year

2 CVEs in 2013

2013

3 CVEs in 2014

2014

1 CVE in 2015

2015

3 CVEs in 2016

2016

4 CVEs in 2017

2017

1 CVE in 2018

2018

2 CVEs in 2019

2019

9 CVEs in 2021

2021

17 CVEs in 2022

2022

4 CVEs in 2023

2023

15 CVEs in 2024

2024

11 CVEs in 2025

2025

7 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

79 total CVEs

CVE-2026-4057medium · 4.3Missing Authorization

Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

Apr 9, 2026 Patched in 3.3.52 (1d)

CVE-2026-5357medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Apr 8, 2026 Patched in 3.3.53 (1d)

CVE-2026-2571medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter

Mar 18, 2026 Patched in 3.3.50 (1d)

CVE-2026-39676medium · 5.3Missing Authorization

Download Manager <= 3.3.52 - Missing Authorization

Feb 19, 2026 Patched in 3.3.53 (56d)

CVE-2026-1666medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter

Feb 17, 2026 Patched in 3.3.47 (1d)

CVE-2026-39615medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting

Feb 10, 2026 Patched in 3.3.54 (65d)

CVE-2025-15364high · 7.3Missing Support for Integrity Check

Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword

Jan 5, 2026 Patched in 3.3.41 (1d)

CVE-2025-13498medium · 4.3Missing Authorization

Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure

Dec 17, 2025 Patched in 3.3.33 (1d)

CVE-2025-12177medium · 5.3Use of Hard-coded Cryptographic Key

Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key

Nov 7, 2025 Patched in 3.3.31 (1d)

CVE-2025-63070medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager <= 3.3.32 - Authenticated (Subscriber+) Information Exposure

Sep 30, 2025 Patched in 3.3.33 (73d)

CVE-2025-60092medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager <= 3.3.25 - Unauthenticated Sensitive Information Exposure

Sep 26, 2025 Patched in 3.3.26 (13d)

CVE-2025-60093medium · 4.3Cross-Site Request Forgery (CSRF)

Download Manager <= 3.3.24 - Cross-Site Request Forgery

Sep 26, 2025 Patched in 3.3.25 (13d)

CVE-2025-10146medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.23 - Reflected Cross-Site Scripting via `user_ids` Parameter

Sep 18, 2025 Patched in 3.3.24 (1d)

CVE-2025-4367medium · 6.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode

Jun 18, 2025 Patched in 3.3.19 (1d)

CVE-2025-3404high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion

Apr 18, 2025 Patched in 3.3.13 (1d)

CVE-2025-3056medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Apr 17, 2025 Patched in 3.3.13 (1d)

CVE-2025-1785medium · 5.4Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Download Manager <= 3.3.08 - Authenticated (Author+) Path Traversal to Limited File Overwrite

Mar 12, 2025 Patched in 3.3.09 (1d)

CVE-2024-13126medium · 5.3Files or Directories Accessible to External Parties

Download Manager <= 3.3.06 - Unauthenticated Information Disclosure via Unprotected Directory

Jan 17, 2025 Patched in 3.3.07 (50d)

CVE-2024-56217medium · 4.3Missing Authorization

Download Manager <= 3.3.03 - Missing Authorization

Dec 19, 2024 Patched in 3.3.04 (21d)

CVE-2024-11740high · 7.3Improper Control of Generation of Code ('Code Injection')

Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode Execution

Dec 18, 2024 Patched in 3.3.04 (1d)

CVE-2024-11768medium · 5.3Improper Authorization

Download manager <= 3.3.03 - Improper Authorization to Unauthenticated Download of Password-Protected Files

Dec 18, 2024 Patched in 3.3.04 (1d)

CVE-2024-10706medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.02 - Authenticated (Admin+) Stored Cross-Site Scripting

Nov 29, 2024 Patched in 3.3.03 (25d)

CVE-2024-8444medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.99 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 9, 2024 Patched in 3.3.00 (65d)

CVE-2024-8284medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.98 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 23, 2024 Patched in 3.2.99 (26d)

CVE-2024-6208medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jul 30, 2024 Patched in 3.2.98 (2d)

CVE-2024-2098high · 7.5Authentication Bypass by Alternate Name

Download Manager <= 3.2.89 - Improper Authorization via protectMediaLibrary

Jun 12, 2024 Patched in 3.2.90 (1d)

CVE-2024-5266medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.92 - Authenticated (Author+) Stored Cross-Site Scripting via Multiple Shortcodes

Jun 11, 2024 Patched in 3.2.94 (1d)

CVE-2024-1766medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.86 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

Jun 11, 2024 Patched in 3.2.87 (1d)

CVE-2024-4001medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.93 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm_modal_login_form Shortcode

Jun 4, 2024 Patched in 3.2.94 (1d)

CVE-2024-4160medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.90 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpdm-all-packages Shortcode

May 30, 2024 Patched in 3.2.91 (22d)

CVE-2024-29114medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.84 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 16, 2024 Patched in 3.2.85 (5d)

CVE-2023-6954medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.85 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Feb 28, 2024 Patched in 3.2.86 (153d)

CVE-2023-6785medium · 5.3Improper Access Control

Download Manager <= 3.2.84 - Missing Authorization

Feb 28, 2024 Patched in 3.2.85 (153d)

CVE-2023-6421medium · 5.3Incorrect Authorization

Download Manager <= 3.2.82 - Unauthenticated Password Leak

Nov 29, 2023 Patched in 3.2.83 (70d)

CVE-2023-2305medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

May 12, 2023 Patched in 3.2.71 (256d)

CVE-2023-1524medium · 4.3Improper Authorization

Download Manager <= 3.2.70 - Insufficient Authorization to Information Disclosure

May 8, 2023 Patched in 3.2.71 (260d)

CVE-2023-1809medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager Pro <= 6.2.9 - Unauthenticated Information Disclosure

Apr 10, 2023 Patched in 6.3.0 (288d)

CVE-2022-4476medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.61 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 20, 2022 Patched in 3.2.62 (399d)

CVE-2022-45836medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.59 - Refleced Cross-Site Scripting

Nov 29, 2022 Patched in 3.2.60 (420d)

CVE-2022-2926medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Download Manager <= 3.2.54 - Authenticated (Admin+) Path Traversal

Sep 5, 2022 Patched in 3.2.55 (505d)

CVE-2022-2436high · 8.8Deserialization of Untrusted Data

Download Manager <= 3.2.49 - Authenticated (Contributor+) PHAR Deserialization

Aug 17, 2022 Patched in 3.2.50 (524d)

WF-332b8d96-89b2-473b-9186-239e49f5b064-download-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.53 - Reflected Cross-Site Scripting

Aug 4, 2022 Patched in 3.2.54 (537d)

CVE-2022-34347high · 8.8Cross-Site Request Forgery (CSRF)

Download Manager <= 3.2.48 - Cross-Site Request Forgery to Plugin Settings Update

Aug 2, 2022 Patched in 3.2.49 (539d)

CVE-2022-36288high · 8.8Cross-Site Request Forgery (CSRF)

Download Manager <= 3.2.48 - Cross-Site Request Forgery

Aug 2, 2022 Patched in 3.2.49 (539d)

CVE-2022-2362medium · 5.3Authentication Bypass by Spoofing

Download Manager <= 3.2.49 - IP Blocking Bypass

Aug 1, 2022 Patched in 3.2.50 (540d)

CVE-2022-2431high · 8.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Download Manager <= 3.2.50 - Authenticated (Contributor+) Arbitrary File Deletion

Jul 27, 2022 Patched in 3.2.51 (545d)

CVE-2022-34658medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.48 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 6, 2022 Patched in 3.2.49 (566d)

CVE-2022-2168medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.43 - Reflected Cross-Site Scripting

Jun 27, 2022 Patched in 3.2.44 (575d)

WF-9d72604e-23ef-4a69-8839-cf8ff4aef3bc-download-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.43 - Reflected Cross-Site Scripting

Jun 23, 2022 Patched in 3.2.44 (579d)

CVE-2022-2101medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting

Jun 21, 2022 Patched in 3.2.47 (581d)

CVE-2022-1985medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.2.42 - Reflected Cross-Site Scripting

Jun 2, 2022 Patched in 3.2.43 (600d)

CVE-2022-0828high · 7.5Inadequate Encryption Strength

Download Manager <= 3.2.38 - Unauthenticated Brute Force of File Master Key

Mar 16, 2022 Patched in 3.2.39 (678d)

CVE-2021-25087high · 7.5Improper Access Control

Download Manager <= 3.2.34 - Sensitive Information Disclosure

Feb 2, 2022 Patched in 3.2.35 (720d)

CVE-2021-25069high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WordPress Download Manager <= 3.2.33 - Authenticated SQL Injection

Jan 20, 2022 Patched in 3.2.34 (733d)

CVE-2021-24969medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 3.2.21 - Cross-Site Scripting

Nov 29, 2021 Patched in 3.2.22 (785d)

CVE-2021-24773medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 3.2.15 - Cross-Site Scripting

Sep 29, 2021 Patched in 3.2.16 (846d)

WF-b0d8499a-a630-4c2b-9381-78ac83da119d-download-managerhigh · 7.1Cross-Site Request Forgery (CSRF)

WordPress Download Manager <= 3.2.12 - Cross-Site Request Forgery

Aug 9, 2021 Patched in 3.2.13 (897d)

CVE-2021-34639high · 7.5Unrestricted Upload of File with Dangerous Type

WordPress Download Manager <= 3.1.24 - Authenticated File Upload

Jul 29, 2021 Patched in 3.1.25 (908d)

CVE-2021-34638medium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 3.1.24 - Cross-Site Scripting

Jul 29, 2021 Patched in 3.1.25 (908d)

WF-4ccc8f3b-9028-45db-8db2-574736fe3ccb-download-managerhigh · 8.8Cross-Site Request Forgery (CSRF)

WordPress Download Manager < 3.1.22 - Cross-Site Request Forgery

Apr 30, 2021 Patched in 3.1.22 (998d)

WF-6d700580-1374-4a17-a6b3-59ba1d063030-download-managermedium · 6.3Missing Authorization

WordPress Download Manager < 3.1.23 - Arbitrary Asset Manager Usage

Apr 30, 2021 Patched in 3.1.23 (998d)

WF-ed40b874-68e2-49f3-95b0-653600394e78-download-managerhigh · 8.8Unrestricted Upload of File with Dangerous Type

WordPress Download Manager < 3.1.19 - Arbitrary File Upload

Apr 30, 2021 Patched in 3.1.19 (998d)

WF-06738434-ccd4-4e87-8163-d56ff3b4b5c8-download-managermedium · 5.3Missing Authorization

Download Manager <= 3.1.17 - Missing Authorization

Apr 16, 2021 Patched in 3.1.18 (1012d)

WF-cad5274f-0d73-425d-bdfb-478c77d55d6c-download-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 2.9.96 - Cross-Site Scripting

Jun 16, 2019 Patched in 2.9.97 (1682d)

CVE-2019-15889medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 2.9.93 - Cross-Site Scripting

Apr 13, 2019 Patched in 2.9.94 (1746d)

WF-79b5883b-a3be-497e-b911-7dc39e7fb418-download-managermedium · 6.3Cross-Site Request Forgery (CSRF)

WordPress Download Manager <= 2.9.6 - Cross-Site Request Forgery

Jan 9, 2018 Patched in 2.9.61 (2205d)

CVE-2017-2217medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

WordPress Download Manager < 2.9.51 - Open Redirect

Jul 13, 2017 Patched in 2.9.51 (2385d)

CVE-2017-18032medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 2.9.51 - Cross-Site Scripting

Jun 16, 2017 Patched in 2.9.52 (2412d)

CVE-2017-2216medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 2.9.49 - Reflected Cross-Site Scripting

Jun 13, 2017 Patched in 2.9.50 (2415d)

WF-f52aede5-21c3-46b9-800e-860a677a4b90-download-managerhigh · 8.8Cross-Site Request Forgery (CSRF)

WordPress Download Manager <= 2.9.45 - Cross-Site Request Forgery

Mar 1, 2017 Patched in 2.9.46 (2519d)

WF-639bf20c-04d4-49e5-8da1-685421a6f63a-download-managermedium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager <= 2.8.7 - Sensitive Information Disclosure via Directory Listing

Jan 19, 2016 Patched in 2.8.8 (2926d)

WF-c59cddfb-c434-4a69-9c1c-7d58f022c1aa-download-managermedium · 6.5Improper Privilege Management

Download Manager <= 2.8.7 - Privilege Escalation

Jan 19, 2016 Patched in 2.8.8 (2926d)

WF-d7d381af-bb2a-43cb-9e5d-0b3d0e5f88f0-download-managercritical · 9.1Missing Authorization

Download Manager <= 2.8.7 - Missing Authorization

Jan 19, 2016 Patched in 2.8.8 (2926d)

WF-b3247bb3-3d9a-49b5-99ec-f4b305d37ae5-download-managermedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Download Manager <= 2.7.94 - Stored Cross-Site Scripting

Jul 16, 2015 Patched in 2.7.95 (3113d)

WF-5e491592-a17f-4789-8faa-d2a60b8ced70-download-managercritical · 9.8Improper Control of Generation of Code ('Code Injection')

WordPress Download Manager <= 2.7.4 - Remote Code Execution

Dec 15, 2014 Patched in 2.7.5 (3326d)

CVE-2014-9260high · 8.1Missing Authorization

WordPress Download Manager <= 2.7.2 - Authenticated Arbitrary Options Update

Nov 24, 2014 Patched in 2.7.3 (3347d)

WF-6a6390d2-58cd-468e-9936-e16954e2d3ee-download-managermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 2.2.2 - Cross-Site Scripting

Aug 1, 2014 Patched in 2.2.3 (3462d)

CVE-2013-7319high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager < 2.5.9 - Stored Cross-Site Scripting

Dec 8, 2013 Patched in 2.5.9 (3698d)

WF-bd7c442f-5c91-4c52-933a-8a6fb7adca8c-download-managermedium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 2.5.8 - Cross-Site Scripting

Dec 7, 2013 Patched in 2.5.9 (3699d)

Version History

Download Manager Release Timeline

v3.3.54Current1 CVE

CVE-2023-1809

v3.3.532 CVEs

CVE-2026-39615 CVE-2023-1809

v3.3.524 CVEs10 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +1 more

v3.3.515 CVEs13 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +2 more

v3.3.505 CVEs23 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +2 more

v3.3.496 CVEs19 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +3 more

v3.3.486 CVEs3 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +3 more

v3.3.476 CVEs27 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2023-1809 +3 more

v3.3.467 CVEs31 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.457 CVEs18 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.447 CVEs11 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.437 CVEs4 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.427 CVEs6 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.417 CVEs26 files changed

CVE-2026-39615 CVE-2026-5357 CVE-2026-1666 +4 more

v3.3.408 CVEs13 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

v3.3.398 CVEs3 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

v3.3.388 CVEs25 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

v3.3.378 CVEs14 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

v3.3.368 CVEs14 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

v3.3.358 CVEs3 files changed

CVE-2026-39615 CVE-2025-15364 CVE-2026-5357 +5 more

Code Analysis

Analyzed Mar 16, 2026

Download Manager Code Analysis

Dangerous Functions

Raw SQL Queries

31 prepared

Unescaped Output

1073

696 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

DataTablesjQuerySelect2

SQL Query Safety

41% prepared75 total queries

Output Escaping

39% escaped1769 total outputs

Data Flows · Security

10 unsanitized

Data Flow Analysis

18 flows10 with unsanitized paths

loginURLRedirect (src\User\Login.php:437)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

31 unprotected

Download Manager Attack Surface

Entry Points81

Unprotected31

AJAX Handlers 52

authwp_ajax_wpdm_remove_admin_noticesrc\Admin\AdminController.php:40

authwp_ajax_hide_wpdmpro_noticesrc\Admin\AdminController.php:41

authwp_ajax_wpdm_iconFindersrc\Admin\AdminController.php:42

authwp_ajax_wpdm_admin_upload_filesrc\Admin\Menu\Packages.php:28

authwp_ajax_wpdm_settingssrc\Admin\Menu\Settings.php:19

authwp_ajax_wpdm_delete_cronsrc\Admin\Menu\Settings.php:22

authwp_ajax_wpdm_test_recaptchasrc\Admin\Menu\Settings.php:23

authwp_ajax_wpdm_stats_get_packagessrc\Admin\Menu\Stats.php:22

authwp_ajax_wpdm_stats_get_userssrc\Admin\Menu\Stats.php:23

authwp_ajax_template_previewsrc\Admin\Menu\Templates.php:18

authwp_ajax_wpdm_save_email_templatesrc\Admin\Menu\Templates.php:19

authwp_ajax_update_template_statussrc\Admin\Menu\Templates.php:20

authwp_ajax_wpdm_save_email_settingsrc\Admin\Menu\Templates.php:21

authwp_ajax_connect_template_serversrc\Admin\Menu\Templates.php:22

authwp_ajax_wpdm_create_dashboard_pagesrc\Admin\Menu\Welcome.php:11

authwp_ajax_wpdm_mkdirsrc\AssetManager\AssetManager.php:75

authwp_ajax_wpdm_newfilesrc\AssetManager\AssetManager.php:76

authwp_ajax_wpdm_scandirsrc\AssetManager\AssetManager.php:77

authwp_ajax_wpdm_createzipsrc\AssetManager\AssetManager.php:78

authwp_ajax_wpdm_unzipitsrc\AssetManager\AssetManager.php:79

authwp_ajax_wpdm_openfilesrc\AssetManager\AssetManager.php:80

authwp_ajax_wpdm_filesettingssrc\AssetManager\AssetManager.php:81

authwp_ajax_wpdm_unlinksrc\AssetManager\AssetManager.php:82

authwp_ajax_wpdm_renamesrc\AssetManager\AssetManager.php:83

authwp_ajax_wpdm_savefilesrc\AssetManager\AssetManager.php:84

authwp_ajax_wpdm_copypastesrc\AssetManager\AssetManager.php:85

authwp_ajax_wpdm_cutpastesrc\AssetManager\AssetManager.php:86

authwp_ajax_wpdm_addcommentsrc\AssetManager\AssetManager.php:87

authwp_ajax_wpdm_newsharelinksrc\AssetManager\AssetManager.php:88

authwp_ajax_wpdm_getlinkdetsrc\AssetManager\AssetManager.php:89

authwp_ajax_wpdm_updatelinksrc\AssetManager\AssetManager.php:90

authwp_ajax_wpdm_deletelinksrc\AssetManager\AssetManager.php:91

authwp_ajax_wpdm_media_passsrc\MediaLibrary\MediaAccessControl.php:21

noprivwp_ajax_wpdm_media_passsrc\MediaLibrary\MediaAccessControl.php:22

authwp_ajax_wpdm_media_accesssrc\MediaLibrary\MediaAccessControl.php:26

authwp_ajax_make_media_publicsrc\MediaLibrary\MediaAccessControl.php:27

authwp_ajax_make_media_privatesrc\MediaLibrary\MediaAccessControl.php:28

authwp_ajax_wpdm_view_countsrc\Package\PackageController.php:83

noprivwp_ajax_updatePasswordsrc\User\Login.php:33

noprivwp_ajax_resetPasswordsrc\User\Login.php:34

authwp_ajax_wpdm_get_profile_menu_contentsrc\User\PublicProfile.php:27

noprivwp_ajax_wpdm_get_profile_menu_contentsrc\User\PublicProfile.php:28

authwp_ajax_wpdmdz_user_statussrc\User\UserController.php:47

authwp_ajax_wpdmdz_update_user_statussrc\User\UserController.php:48

noprivwp_ajax_showLockOptionssrc\__\Apply.php:25

authwp_ajax_showLockOptionssrc\__\Apply.php:26

authwp_ajax_wpdm_verify_file_passsrc\__\Apply.php:28

noprivwp_ajax_wpdm_verify_file_passsrc\__\Apply.php:29

authwp_ajax_wpdm_generate_passwordsrc\__\Apply.php:31

authwp_ajax_wpdm-activate-shopsrc\__\Apply.php:32

authwp_ajax_clear_cachesrc\__\Apply.php:66

authwp_ajax_clear_statssrc\__\Apply.php:67

REST API Routes 5

GET/wp-json/wpdm/media-accesssrc\MediaLibrary\RestAPI.php:22

POST/wp-json/wpdm/validate-captchasrc\Package\RestAPI.php:18

POST/wp-json/wpdm/validate-passwordsrc\Package\RestAPI.php:24

GET/wp-json/wpdm/searchsrc\Package\RestAPI.php:30

POST/wp-json/wpdm/view-countsrc\Package\RestAPI.php:36

Shortcodes 24

[wpdm_asset] src\AssetManager\AssetManager.php:100

[wpdm_category] src\Category\Shortcodes.php:14

[wpdm_category_link] src\Category\Shortcodes.php:15

[wpdm_media] src\MediaLibrary\MediaAccessControl.php:35

[wpdm_package] src\Package\Shortcodes.php:19

[wpdm_direct_link] src\Package\Shortcodes.php:22

[wpdm_packages] src\Package\Shortcodes.php:25

[wpdm_tag] src\Package\Shortcodes.php:28

[wpdm_download_count] src\Package\Shortcodes.php:31

[wpdm_package_count] src\Package\Shortcodes.php:34

[wpdm_all_packages] src\Package\Shortcodes.php:37

[wpdm-all-packages] src\Package\Shortcodes.php:38

[wpdm_search_result] src\Package\Shortcodes.php:41

[wpdm_changelog] src\Package\Shortcodes.php:44

[wpdm_user_dashboard] src\User\Dashboard.php:26

[wpdm_edit_profile] src\User\EditProfile.php:31

[wpdm_login_form] src\User\Login.php:37

[wpdm_modal_login_form] src\User\Login.php:39

[wpdm_logout_url] src\User\Login.php:41

[wpdm_user_profile] src\User\PublicProfile.php:29

[wpdm_reg_form] src\User\Register.php:32

[wpdm_user_favourites] src\User\User.php:52

[wpdm_members] src\User\User.php:53

[wpdm_authors] src\User\User.php:54

WordPress Hooks 103

actionupgrader_process_completedownload-manager.php:165

actioninitdownload-manager.php:170

actioninitdownload-manager.php:171

actioninitdownload-manager.php:173

actionwp_enqueue_scriptsdownload-manager.php:174

actionwp_footerdownload-manager.php:176

actioninitsrc\Admin\AdminController.php:32

actionadmin_enqueue_scriptssrc\Admin\AdminController.php:33

actionadmin_initsrc\Admin\AdminController.php:34

actionadmin_initsrc\Admin\AdminController.php:35

actionadmin_headsrc\Admin\AdminController.php:36

actionadmin_footersrc\Admin\AdminController.php:37

actionadmin_noticessrc\Admin\AdminController.php:39

filteruser_row_actionssrc\Admin\AdminController.php:44

filterplugin_row_metasrc\Admin\AdminController.php:50

actionwp_dashboard_setupsrc\Admin\DashboardWidgets.php:15

actionadmin_menusrc\Admin\Menu\AddOns.php:18

actionwpdmcategory_add_form_fieldssrc\Admin\Menu\Categories.php:17

actionwpdmcategory_edit_form_fieldssrc\Admin\Menu\Categories.php:18

actionedited_wpdmcategorysrc\Admin\Menu\Categories.php:20

actioncreate_wpdmcategorysrc\Admin\Menu\Categories.php:21

actionadmin_initsrc\Admin\Menu\Categories.php:23

filtermanage_edit-wpdmcategory_columnssrc\Admin\Menu\Categories.php:29

filtermanage_wpdmcategory_custom_columnsrc\Admin\Menu\Categories.php:30

actionsave_postsrc\Admin\Menu\Packages.php:29

actionmanage_wpdmpro_posts_columnssrc\Admin\Menu\Packages.php:31

actionmanage_wpdmpro_posts_custom_columnsrc\Admin\Menu\Packages.php:32

filterrequestsrc\Admin\Menu\Packages.php:34

filtermanage_edit-wpdmpro_sortable_columnssrc\Admin\Menu\Packages.php:35

filterpost_row_actionssrc\Admin\Menu\Packages.php:37

actionadmin_footersrc\Admin\Menu\Packages.php:39

actionadmin_initsrc\Admin\Menu\Packages.php:41

actionadmin_initsrc\Admin\Menu\Settings.php:18

actionadmin_menusrc\Admin\Menu\Settings.php:20

actionadmin_menusrc\Admin\Menu\Stats.php:20

actionadmin_initsrc\Admin\Menu\Stats.php:21

filterinitsrc\Admin\Menu\Templates.php:15

filterwdm_before_fetch_templatesrc\Admin\Menu\Templates.php:16

actionadmin_menusrc\Admin\Menu\Templates.php:23

filtershow_admin_barsrc\Admin\Menu\Templates.php:29

actionadmin_menusrc\Admin\Menu\Welcome.php:9

actionadmin_initsrc\Admin\Menu\Welcome.php:10

actionactivated_pluginsrc\Admin\Menu\Welcome.php:14

actioninitsrc\AssetManager\AssetManager.php:71

actioninitsrc\AssetManager\AssetManager.php:72

actionwpdm_after_upload_filesrc\AssetManager\AssetManager.php:95

actionadmin_enqueue_scriptssrc\AssetManager\AssetManager.php:97

actionadmin_menusrc\AssetManager\AssetManager.php:105

filtertemplate_includesrc\Category\CategoryController.php:17

actioninitsrc\MediaLibrary\MediaAccessControl.php:20

filterattachment_fields_to_editsrc\MediaLibrary\MediaAccessControl.php:25

actionadmin_footersrc\MediaLibrary\MediaAccessControl.php:29

actioninitsrc\MediaLibrary\MediaAccessControl.php:31

filtermedia_upload_tabssrc\MediaLibrary\MediaHandler.php:10

filtermedia_upload_wpdmpromediasrc\MediaLibrary\MediaHandler.php:11

actionrest_api_initsrc\MediaLibrary\RestAPI.php:15

filterattachment_fields_to_editsrc\MediaLibrary\views\media-tab.php:145

actionwpsrc\Package\Hooks.php:22

filterthe_contentsrc\Package\Hooks.php:23

actionrest_api_initsrc\Package\RestAPI.php:12

actionwpsrc\User\Dashboard.php:25

actioninitsrc\User\EditProfile.php:29

actioninitsrc\User\EditProfile.php:30

actioninitsrc\User\Login.php:31

filtertemplate_includesrc\User\Login.php:46

filterthe_contentsrc\User\Login.php:47

filterauthenticatesrc\User\Login.php:49

filterauthenticatesrc\User\Login.php:50

filterauthenticatesrc\User\Login.php:51

actionlogin_formsrc\User\Login.php:53

actioninitsrc\User\PublicProfile.php:26

actioninitsrc\User\Register.php:31

actionregistration_errorssrc\User\Register.php:34

actionuser_registersrc\User\Register.php:36

actionregister_formsrc\User\Register.php:38

actionregistration_errorssrc\User\Register.php:39

filtermanage_users_columnssrc\User\UserController.php:44

filtermanage_users_custom_columnsrc\User\UserController.php:45

actionpersonal_optionssrc\User\UserController.php:50

actionwidgets_initsrc\Widgets\WidgetController.php:20

actionadmin_headsrc\wpdm-functions.php:1121

actionadmin_footersrc\wpdm-functions.php:1218

filterwpdm_custom_datasrc\__\Apply.php:24

filterwp_kses_allowed_htmlsrc\__\Apply.php:34

actioninitsrc\__\Apply.php:38

actioninitsrc\__\Apply.php:39

filterwidget_textsrc\__\Apply.php:42

actionquery_varssrc\__\Apply.php:44

actionrequestsrc\__\Apply.php:45

filterpre_get_postssrc\__\Apply.php:46

filterajax_query_attachments_argssrc\__\Apply.php:48

actionwp_headsrc\__\Apply.php:51

filterpost_comments_feed_linksrc\__\Apply.php:52

filterthe_excerpt_embedsrc\__\Apply.php:54

actionwp_headsrc\__\Apply.php:56

actionafter_switch_themesrc\__\Apply.php:64

actionsave_postsrc\__\Apply.php:65

actionadmin_headsrc\__\Apply.php:68

filtercron_schedulessrc\__\CronJobs.php:25

actioninitsrc\__\CronJobs.php:26

actioninitsrc\__\CronJobs.php:27

actioninitsrc\__\CronJobs.php:28

action__wpdm_cronsrc\__\CronJobs.php:57

Scheduled Events 2

do_pings

__wpdm_cron

Maintenance & Trust

Download Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 15, 2026

PHP min version

Downloads10.9M

Community Trust

Rating82/100

Number of ratings998

Active installs100K

Alternatives

Download Manager Alternatives

Download Monitor – Migrate download counts

download-monitor-migrate-download-counts

100

Migrate DLM download counts.

70 No CVEs

Comdev Downloads

comdev-downloads

Comdev Downloads is a powerful plugin for uploading, managing, and tracking download packages, as well as displaying download links.

0 No CVEs

Download Monitor

download-monitor

Powerful Download Manager Plugin for WordPress

90K 29 CVEs

Download Manager Addons for Elementor

wpdm-elementor

Download Manager Addons for Elementor

7K 1 CVE

Download Monitor – CORS

download-monitor-cors

100

Download Monitor is a plugin for selling, uploading and managing downloads, tracking downloads and displaying links.

100 No CVEs

Developer Profile

Download Manager Developer Profile

Shahjada

6 plugins · 116K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

727 days

View full developer profile

Detection Fingerprints

How We Detect Download Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/download-manager/assets/css/frontend.css/wp-content/plugins/download-manager/assets/css/bootstrap-grid.min.css/wp-content/plugins/download-manager/assets/css/fontawesome.min.css/wp-content/plugins/download-manager/assets/js/wpdm-front.js/wp-content/plugins/download-manager/assets/js/axios.min.js/wp-content/plugins/download-manager/assets/js/sweetalert.min.js/wp-content/plugins/download-manager/assets/js/wpdm-script.js/wp-content/plugins/download-manager/assets/js/wpdm-vue.js

Script Paths

/wp-content/plugins/download-manager/assets/js/wpdm-front.js/wp-content/plugins/download-manager/assets/js/axios.min.js/wp-content/plugins/download-manager/assets/js/sweetalert.min.js/wp-content/plugins/download-manager/assets/js/wpdm-script.js/wp-content/plugins/download-manager/assets/js/wpdm-vue.js

Version Parameters

download-manager/assets/css/frontend.css?ver=download-manager/assets/css/bootstrap-grid.min.css?ver=download-manager/assets/css/fontawesome.min.css?ver=download-manager/assets/js/wpdm-front.js?ver=download-manager/assets/js/axios.min.js?ver=download-manager/assets/js/sweetalert.min.js?ver=download-manager/assets/js/wpdm-script.js?ver=download-manager/assets/js/wpdm-vue.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpdm-category-listwpdm-package-listwpdm-download-linkwpdm-social-buttonswpdm-login-formwpdm-user-dashboardwpdm-access-noticewpdm-nav-menu+2 more

Data Attributes

data-package-iddata-templatedata-actiondata-redirect-urldata-show-logindata-show-signup

JS Globals

WPDMwpdm_frontend_datawpdm_modal_settingsWPDM_API

REST Endpoints

/wp-json/wpdm/v1/packages/wp-json/wpdm/v1/categories/wp-json/wpdm/v1/download/wp-json/wpdm/v1/user

Shortcode Output

[wpdm_packages[wpdm_categories[wpdm_download_link[wpdm_login_form

FAQ

Download Manager Security & Risk Analysis

Is Download Manager Safe to Use in 2026?

Mostly Safe

Key Concerns

Download Manager Security Vulnerabilities

CVEs by Year

Severity Breakdown

Download Manager Release Timeline

Download Manager Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Download Manager Attack Surface

AJAX Handlers 52

REST API Routes 5

Shortcodes 24

Scheduled Events 2

Download Manager Maintenance & Trust

Maintenance Signals

Community Trust

Download Manager Alternatives

Download Monitor – Migrate download counts

Comdev Downloads

Download Monitor

Download Manager Addons for Elementor

Download Monitor – CORS

Download Manager Developer Profile

How We Detect Download Manager

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Download Manager