Does WP-DownloadManager have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP-DownloadManager compatible with WordPress 6.9.4?

According to WordPress.org data, WP-DownloadManager 1.69.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WP-DownloadManager updated?

WP-DownloadManager was last updated on Feb 13, 2026. Frequent updates are generally a positive security signal.

What is WP-DownloadManager's security score?

WP-DownloadManager has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP-DownloadManager Security & Risk Analysis

wordpress.org/plugins/wp-downloadmanager

Adds a simple download manager to your WordPress blog.

3K active installs v1.69.1 PHP + WP 4.0+ Updated Feb 13, 2026

downloaddownloadsfilefilesmanager

A · Safe

CVEs total10

Unpatched0

Last CVEFeb 17, 2026

Plugin page Download

Safety Verdict

Is WP-DownloadManager Safe to Use in 2026?

Generally Safe

Score 89/100

WP-DownloadManager has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Feb 17, 2026Updated 3mo ago

Risk Assessment

The wp-downloadmanager plugin v1.69.1 presents a mixed security posture. While the static analysis shows a relatively small attack surface with no immediately identified unprotected entry points and a decent number of capability checks and nonces, concerns arise from the SQL query handling. A significant portion (86%) of SQL queries are not using prepared statements, which, combined with the presence of file operations and external HTTP requests (though none active), indicates a potential for SQL injection vulnerabilities if input is not rigorously sanitized.

The vulnerability history is a major red flag. The plugin has a substantial number of known CVEs, including two high-severity vulnerabilities. The types of past vulnerabilities, such as Path Traversal, Unrestricted Upload, XSS, and SSRF, are all serious and suggest recurring issues with input validation and sanitization. The fact that the last vulnerability was in 2026 (anachronistic, but indicating recent historical issues) further emphasizes the need for caution. While there are currently no unpatched vulnerabilities, the historical pattern is concerning.

In conclusion, the plugin exhibits good practices in terms of limiting its direct attack surface and implementing some security checks. However, the prevalence of raw SQL queries and the extensive history of critical and high-severity vulnerabilities, particularly those related to input validation and path manipulation, necessitate a cautious approach. Users should be aware of the past security issues and ensure they are running the latest patched versions.

Key Concerns

High percentage of SQL queries without prepared statements
History of 2 high severity CVEs
History of 7 medium severity CVEs
History of 1 low severity CVE
Common vulnerability types indicate input sanitization issues
Bundled library (TinyMCE) may have its own vulnerabilities

Vulnerabilities

10 published

WP-DownloadManager Security Vulnerabilities

CVEs by Year

2 CVEs in 2021

2021

2 CVEs in 2022

2022

1 CVE in 2024

2024

3 CVEs in 2025

2025

2 CVEs in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

Low

10 total CVEs

CVE-2026-2426medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'file' Parameter

Feb 17, 2026 Patched in 1.69.1 (1d)

CVE-2026-2419low · 2.7Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter

Feb 17, 2026 Patched in 1.69.1 (1d)

CVE-2025-10747high · 7.2Unrestricted Upload of File with Dangerous Type

WP-DownloadManager <= 1.68.11 - Authenticated (Admin+) Arbitrary File Upload

Sep 25, 2025 Patched in 1.69 (1d)

CVE-2025-4798medium · 4.9Exposure of Sensitive Information to an Unauthorized Actor

WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Read

Jun 10, 2025 Patched in 1.68.11 (1d)

CVE-2025-4799high · 7.2Absolute Path Traversal

WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion

Jun 10, 2025 Patched in 1.68.11 (1d)

CVE-2024-47341medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-DownloadManager <= 1.68.8 - Reflected Cross-Site Scripting

Sep 27, 2024 Patched in 1.68.9 (7d)

CVE-2022-25605medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-DownloadManager plugin <= 1.68.6 - Stored Cross-Site Scripting

Jan 12, 2022 Patched in 1.68.7 (740d)

CVE-2022-25606medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-DownloadManager <= 1.68.6 - Stored Cross-Site Scripting

Jan 10, 2022 Patched in 1.68.7 (742d)

CVE-2021-44760medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP-DownloadManager plugin <= 1.68.6 - Reflected Cross-Site Scripting

Dec 28, 2021 Patched in 1.68.7 (755d)

CVE-2020-24141medium · 5.3Server-Side Request Forgery (SSRF)

WP-DownloadManager <= 1.68.4 - Server-Side Request Forgery

Apr 13, 2021 Patched in 1.68.5 (1015d)

Version History

WP-DownloadManager Release Timeline

v1.69.1Current

v1.692 CVEs

CVE-2026-2419 CVE-2026-2426

v1.68.113 CVEs

CVE-2026-2419 CVE-2025-10747 CVE-2026-2426

v1.68.105 CVEs

CVE-2026-2419 CVE-2025-10747 CVE-2025-4798 +2 more

v1.68.95 CVEs

CVE-2026-2419 CVE-2025-10747 CVE-2025-4798 +2 more

v1.68.86 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +3 more

v1.68.76 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +3 more

v1.68.69 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +6 more

v1.68.59 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +6 more

v1.68.410 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.68.210 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.68.110 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6710 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6610 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6510 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6410 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6310 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6210 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.6110 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

v1.5010 CVEs

CVE-2026-2419 CVE-2024-47341 CVE-2025-10747 +7 more

Code Analysis

Analyzed Mar 16, 2026

WP-DownloadManager Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

146

161 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

14% prepared37 total queries

Output Escaping

52% escaped307 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

5 flows

<download-add> (download-add.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WP-DownloadManager Attack Surface

Entry Points3

Unprotected0

Shortcodes 3

[page_download] wp-downloadmanager.php:436

[page_downloads] wp-downloadmanager.php:437

[download] wp-downloadmanager.php:445

WordPress Hooks 24

actionplugins_loadedwp-downloadmanager.php:36

actionadmin_menuwp-downloadmanager.php:48

actionwp_enqueue_scriptswp-downloadmanager.php:60

actionadmin_enqueue_scriptswp-downloadmanager.php:71

actionadmin_footer-post-new.phpwp-downloadmanager.php:81

actionadmin_footer-post.phpwp-downloadmanager.php:82

actionadmin_footer-page-new.phpwp-downloadmanager.php:83

actionadmin_footer-page.phpwp-downloadmanager.php:84

actioninitwp-downloadmanager.php:100

filtermce_external_pluginswp-downloadmanager.php:106

filtermce_buttonswp-downloadmanager.php:107

filterwp_mce_translationwp-downloadmanager.php:108

filterquery_varswp-downloadmanager.php:131

filtergenerate_rewrite_ruleswp-downloadmanager.php:140

actionwp_headwp-downloadmanager.php:147

actiontemplate_redirectwp-downloadmanager.php:162

actionplugins_loadedwp-downloadmanager.php:1261

filterwp_stats_page_admin_pluginswp-downloadmanager.php:1263

filterwp_stats_page_admin_recentwp-downloadmanager.php:1264

filterwp_stats_page_admin_mostwp-downloadmanager.php:1265

filterwp_stats_page_pluginswp-downloadmanager.php:1266

filterwp_stats_page_recentwp-downloadmanager.php:1267

filterwp_stats_page_mostwp-downloadmanager.php:1268

actionwidgets_initwp-downloadmanager.php:1493

Maintenance & Trust

WP-DownloadManager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 13, 2026

PHP min version

Downloads309K

Community Trust

Rating80/100

Number of ratings37

Active installs3K

Alternatives

WP-DownloadManager Alternatives

m1.DownloadList

m1downloadlist

This plugin easily displays the folders and files from a selected directory. It can be placed by shortcode in any post.

400 1 unpatched

Download Manager MS

download-manager-ms

Download manager with multisite support. Stats charts, shortcodes for download buttons and forms, easy file uploads, and much more.

10 No CVEs

Simple Download Manager – Hizzle Downloads

hizzle-downloads

100

Easily add, restrict, and track digital downloads in WordPress — protect files with passwords, user roles, IPs, or subscriber access.

10 No CVEs

Kitgenix Document Manager

kitgenix-document-manager

100

Manage document downloads with stable links, version history, and private file access.

0 No CVEs

File Manager Pro – Filester

filester

Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.

100K 9 CVEs

Developer Profile

WP-DownloadManager Developer Profile

Lester Chan

20 plugins · 888K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

1377 days

View full developer profile

Detection Fingerprints

How We Detect WP-DownloadManager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-downloadmanager/download-css.css/wp-content/plugins/wp-downloadmanager/download-admin-css.css/wp-content/plugins/wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.js/wp-content/plugins/wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.min.js

Script Paths

/wp-content/plugins/wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.js/wp-content/plugins/wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.min.js

Version Parameters

wp-downloadmanager/download-css.css?ver=wp-downloadmanager/download-admin-css.css?ver=wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.js?v=wp-downloadmanager/tinymce/plugins/downloadmanager/plugin.min.js?v=

HTML / DOM Fingerprints

Data Attributes

ed_wp_downloadmanager

JS Globals

QTags.addButtonQTags.insertContent

Shortcode Output

[download id=

FAQ

WP-DownloadManager Security & Risk Analysis

Is WP-DownloadManager Safe to Use in 2026?

Generally Safe

Key Concerns

WP-DownloadManager Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP-DownloadManager Release Timeline

WP-DownloadManager Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

WP-DownloadManager Attack Surface

Shortcodes 3

WP-DownloadManager Maintenance & Trust

Maintenance Signals

Community Trust

WP-DownloadManager Alternatives

m1.DownloadList

Download Manager MS

Simple Download Manager – Hizzle Downloads

Kitgenix Document Manager

File Manager Pro – Filester

WP-DownloadManager Developer Profile

How We Detect WP-DownloadManager

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP-DownloadManager