CVE-2025-12177Use of Hard-coded Cryptographic Key in Download Manager

CWE-321Use of Hard-coded Cryptographic Key3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 69.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codename065 Download Manager
Timeline
PublishedNov 8

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-5vw4-6m45-994c: The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDa2025-11-08
CVEList
Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key2025-11-08
CVE-2025-12177 — Use of Hard-coded Cryptographic Key | cvebase