CVE-2026-4057Missing Authorization in Download Manager

CWE-862Missing Authorization4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 89.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codename065 Download Manager
Timeline
PublishedApr 10

Description

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

3
VulDB
codename065 Download Manager Plugin up to 3.3.51 on WordPress makeMediaPublic ID authorization2026-04-10
CVEList
Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal2026-04-10
GHSA
GHSA-5q5w-6r9g-cpgc: The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic2026-04-10
CVE-2026-4057 — Missing Authorization | cvebase