WordPress Security Bulletin: WP-DownloadManager Plugin Vulnerability (CVE-2026-2419)

On this page

Security Alert Summary

The WP-DownloadManager plugin for WordPress contains a path traversal vulnerability via the download_path configuration parameter. Insufficient validation of the download path setting can allow directory traversal sequences to bypass the WP_CONTENT_DIR prefix check, enabling authenticated administrators to configure the plugin to list and access arbitrary files on the server using the plugin’s file browser functionality.

CVE Details

  • CVE ID: CVE-2026-2419
  • Affected plugin or component: WP-DownloadManager plugin for WordPress
  • Affected versions: All versions up to, and including, 1.69
  • Published: February 18, 2026 at 8:16:15 AM
  • Last modified: February 18, 2026 at 8:16:15 AM
  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N — Base Score: 2.7 (LOW)
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: HIGH (requires administrator-level privileges)
    • User Interaction: NONE
    • Scope: UNCHANGED
  • Authentication / Privileges / User interaction: Authentication required; attacker must have administrator-level privileges. No user interaction required.
  • Primary impact: Confidentiality: Low; Integrity: None; Availability: None
  • CWE / weakness: CWE-22 (Path Traversal)

Technical Details

This vulnerability is a path traversal issue in the plugin’s handling of the download_path configuration parameter. The plugin attempts to enforce a WP_CONTENT_DIR prefix check for configured download paths, but insufficient validation allows directory traversal sequences to bypass that check. When an attacker with administrator-level access configures the plugin’s file browser using a crafted download_path, the plugin can be made to list and provide access to arbitrary files on the server outside the intended content directory.

The core issue is a missing or inadequate sanitization/normalization of the download path input before enforcing the prefix check. The CVE description specifically names the download_path parameter and the bypass of the WP_CONTENT_DIR prefix check as the root cause. Exploitation relies on the plugin’s file browser functionality being configurable by an administrator account.

How This Could Impact Your Website

In a typical site setup, an administrator (site owner or trusted staff member) manages plugin settings while editors, contributors, and external contractors have more limited access. If an attacker who already has administrator-level access intentionally or unknowingly configures the vulnerable download_path, they could cause the plugin to list or serve files from locations outside the intended content directory. Practical consequences may include exposure of configuration files, backups, or uploaded files that contain sensitive information such as internal email lists or credentials stored in poorly protected files.

Exposed email addresses or other contact details found in accessible files can increase the risk of targeted phishing or social engineering attacks against staff or contractors. The impact is primarily increased confidentiality risk rather than site integrity or availability, reflecting the CVSS impacts.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially administrator accounts and contributors with elevated access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce the attack surface.
  • Monitor site activity and server logs for unusual behavior such as unexpected file listings or downloads.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References