CVE-2025-13498Missing Authorization in Download Manager

CWE-862Missing Authorization4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 87.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codename065 Download Manager
Timeline
PublishedDec 18

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-2rj3-rg6r-7hhr: The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 32025-12-18
CVEList
Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure2025-12-18

🕵️Threat Intelligence

1
Wiz
CVE-2025-13498 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13498 — Missing Authorization | cvebase