CVE-2025-4799
WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion
highAbsolute Path Traversal
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.68.11
Patched in
1d
Time to patch
Description
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to delete any file within the WordPress root directory.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=1.68.10PublishedJune 10, 2025
Last updatedJune 11, 2025
Affected pluginwp-downloadmanager
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.