CVE-2026-2571 — Sensitive Information Exposure in Download Manager

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 89.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codename065 Download Manager

Timeline

PublishedMar 19

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5codename065/download_manager3.3.49

🔴Vulnerability Details

GHSA

GHSA-94v4-f8fh-fgp2: The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' fun↗2026-03-19

▶

CVEList

Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2571 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶