CVE-2025-15364Missing Support for Integrity Check in Download Manager

CWE-353Missing Support for Integrity Check4 documents4 sources
Severity
7.3HIGHNVD
EPSS
0.0%
top 88.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codename065 Download Manager
Timeline
PublishedJan 6

Description

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-643w-m4mx-5pvw: The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 32026-01-06
CVEList
Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword2026-01-06

🕵️Threat Intelligence

1
Wiz
CVE-2025-15364 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-15364 — Missing Support for Integrity Check | cvebase