Medium 6.1
2025-09-19< 3.3.24
Download Manager <= 3.3.23 - Reflected Cross-Site Scripting via `user_ids` Parameter
Download Manager
Minimum safe version
3.3.54
Update to 3.3.54 or later to address 105 fixable vulnerabilities
Latest available3.3.55 ✓Affected up to2.7.4 ⚠
N/A
2026-02-17< 3.3.47
Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter
N/A
2026-03-18< 3.3.50
Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter
N/A
2026-04-08< 3.3.53
Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
N/A
2026-04-09< 3.3.52
Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
Medium 5.3
2026-04-08< 3.3.53
CVE-2026-39676
Medium 5.9
2026-04-08< 3.3.54
CVE-2026-39615
High 7.3
2026-01-06< 3.3.41
CVE-2025-15364
Medium 4.3
2025-12-18< 3.3.33
CVE-2025-13498
Medium 4.3
2025-12-09< 3.3.33
CVE-2025-63070
Medium 5.3
2025-11-08< 3.3.31
CVE-2025-12177
Medium 5.3
2025-09-26< 3.3.26
CVE-2025-60092
Medium 4.3
2025-09-26< 3.3.25
CVE-2025-60093
Medium 6.4
2025-06-19< 3.3.19
Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode
High 8.8
2025-04-18< 3.3.13
Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion
Medium 5.4
2025-04-18< 3.3.13
Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Medium 4.6
2025-03-16< 3.3.07
CVE-2024-13126
Medium 5.4
2025-03-13< 3.3.09
Download Manager <= 3.3.08 - Authenticated (Author+) Path Traversal to Limited File Overwrite
Medium 4.3
2024-12-31< 3.3.04
CVE-2024-56217
Medium 4.8
2024-12-20< 3.3.03
CVE-2024-10706
Medium 5.3
2024-12-19< 3.3.04
CVE-2024-11768
High 7.3
2024-12-19< 3.3.04
CVE-2024-11740
Medium 5.4
2024-10-30< 3.3.00
CVE-2024-8444
Medium 4.8
2025-05-15< 3.2.99
Download Manager <= 3.2.98 - Authenticated (Admin+) Stored Cross-Site Scripting
Medium 5.4
2024-07-31< 3.2.98
CVE-2024-6208
High 7.5
2024-06-13< 3.2.90
CVE-2024-2098
Medium 5.4
2024-06-12< 3.2.87
CVE-2024-1766
Medium 5.4
2024-06-12< 3.2.94
CVE-2024-5266
Medium 5.4
2024-06-05< 3.2.94
CVE-2024-4001
Medium 5.4
2024-05-31< 3.2.91
CVE-2024-4160
High 7.5
2024-05-17< 3.2.83
CVE-2024-32131
Medium 6.5
2024-03-19< 3.2.85
CVE-2024-29114
Medium 5.4
2024-03-13< 3.2.86
CVE-2023-6954
Medium 5.3
2024-03-13< 3.2.85
CVE-2023-6785
High 7.5
2024-01-01< 3.2.83
CVE-2023-6421
Medium 6.5
2023-05-30< 3.2.71
CVE-2023-1524
Medium 5.4
2023-06-09< 3.2.71
CVE-2023-2305
N/A
2013-12-07< 2.5.9
Download Manager <= 2.5.8 - Cross-Site Scripting
N/A
2014-08-01< 2.2.3
Download Manager <= 2.2.2 - Cross-Site Scripting
N/A
2014-12-15< 2.7.5
WordPress Download Manager <= 2.7.4 - Remote Code Execution
N/A
2015-07-16< 2.7.95
WordPress Download Manager <= 2.7.94 - Stored Cross-Site Scripting
N/A
2016-01-19< 2.8.8
Download Manager <= 2.8.7 - Missing Authorization
N/A
2016-01-19< 2.8.8
Download Manager <= 2.8.7 - Privilege Escalation
N/A
2016-01-19< 2.8.8
Download Manager <= 2.8.7 - Sensitive Information Disclosure via Directory Listing
N/A
2017-03-01< 2.9.46
WordPress Download Manager <= 2.9.45 - Cross-Site Request Forgery
N/A
2018-01-09< 2.9.61
WordPress Download Manager <= 2.9.6 - Cross-Site Request Forgery
N/A
2019-06-16< 2.9.97
WordPress Download Manager <= 2.9.96 - Cross-Site Scripting
Medium 5.4
2023-01-16< 3.2.62
CVE-2022-4476
N/A
2021-04-16< 3.1.17
Download Manager <= 3.1.17 - Missing Authorization
N/A
2021-04-30< 3.1.19
WordPress Download Manager < 3.1.19 - Arbitrary File Upload
N/A
2021-04-30< 3.1.23
WordPress Download Manager < 3.1.23 - Arbitrary Asset Manager Usage
N/A
2021-04-30< 3.1.22
WordPress Download Manager < 3.1.22 - Cross-Site Request Forgery
N/A
2021-08-09< 3.2.13
WordPress Download Manager <= 3.2.12 - Cross-Site Request Forgery
N/A
2022-06-23< 3.2.44
Download Manager <= 3.2.43 - Reflected Cross-Site Scripting
N/A
2022-08-04< 3.2.54
Download Manager <= 3.2.53 - Reflected Cross-Site Scripting
High 7.1
2023-04-18< 3.2.60
CVE-2022-45836
N/A
< 3.2.60
WordPress Download Manager Plugin <= 3.2.59 is vulnerable to Cross Site Scripting (XSS)
N/A
< 2.2.3
Download Manager <= 2.2.2 - admin.php cid Parameter XSS
N/A
< 2.7.5
Download Manager <= 2.7.4 - Code Execution / Remote File Inclusion
N/A
< 2.7.95
Download Manager <= 2.7.94 - Authenticated Stored XSS
N/A
< 2.8.8
Download Manager <= 2.8.7 - Multiple Vulnerabilities
N/A
< 2.9.46
Download Manager <= 2.9.45 - Cross-Site Request Forgery (CSRF)
N/A
< 2.9.61
Download Manager <= 2.9.60 - Cross-Site Request Forgery (CSRF)
N/A
< 2.9.97
Download Manager <= 2.9.96 - Various Sanitisation Issues
N/A
< 3.1.18
WordPress Download Manager < 3.1.18 - Unauthorised Download Duplication
N/A
< 3.1.23
Download Manager < 3.1.23 - Unauthorised Asset Manager Usage
N/A
< 3.1.22
Download Manager < 3.1.22 - Plugin Settings Change via CSRF
N/A
< 3.1.19
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
N/A
< 3.2.13
WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF
N/A
< 3.2.44
Download Manager < 3.2.44 - Unauthenticated Reflected Cross-Site Scripting
N/A
< 3.2.53
Download Manager < 3.2.53 - Unauthenticated Reflected Cross-Site Scripting
Medium 4.9
2022-09-26< 3.2.55
CVE-2022-2926
High 8.8
2022-09-06< 3.2.51
CVE-2022-2431
High 8.8
2022-09-06< 3.2.71
CVE-2022-2436
High 7.5
2022-08-22< 3.2.50
CVE-2022-2362
Medium 4.2
2022-08-22< 3.2.49
CVE-2022-34347
Medium 5.4
2022-08-23< 3.2.49
CVE-2022-34658
Medium 5.4
2022-08-23< 3.2.49
CVE-2022-36288
Medium 6.1
2022-07-17< 3.2.44
CVE-2022-2168
N/A
2022-06-27< 3.2.44
WordPress Download Manager plugin <= 3.2.43 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability
Medium 5.4
2022-07-18< 3.2.47
CVE-2022-2101
N/A
2014-12-15≥ 2.7.0 and ≤ 2.7.4
WordPress Download Manager 2.7.4 - Remote Code Execution
N/A
2015-05-15< 2.2.3
WordPress Download Manager Plugin <= 2.2.2 - XSS
N/A
2015-07-16< 2.7.95
WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS
N/A
2015-12-20< 2.7.95
WordPress Download Manager Plugin <= 2.7.94 - Stored XSS
N/A
2016-01-19< 2.8.8
WordPress Download Manager Plugin <= 2.8.7 - Multiple Vulnerabilities
Medium 6.1
2022-06-13< 3.2.43
CVE-2022-1985
N/A
2017-06-27< 2.9.46
WordPress Download Manager plugin <= 2.8.97 - Authenticated Arbitrary File Upload Vulnerability
N/A
2018-01-10< 2.9.61
WordPress Download Manager plugin <=2.9.60 - Cross-Site Request Forgery (CSRF) vulnerability
N/A
2019-04-23< 2.9.94
WordPress Download Manager plugin <= 2.9.93 - Authenticated Cross-Site Scripting (XSS) vulnerability
N/A
2019-06-16< 2.9.97
WordPress Download Manager plugin <= 2.9.96 - Multiple vulnerabilities
N/A
2021-08-09< 3.2.13
WordPress Download Manager plugin <= 3.2.12 - Email Template Setting Update via Cross-Site Request Forgery (CSRF) vulnerability
High 7.5
2022-04-11< 3.2.39
CVE-2022-0828
N/A
2014-02-06< 2.5.9
CVE-2013-7319
N/A
2014-11-04< 2.7
CVE-2014-8585
Medium 6.1
2017-07-13< 2.9.51
WordPress Download Manager < 2.9.51 - Open Redirect
Medium 6.1
2017-07-07< 2.9.50
CVE-2017-2216
High 8.8
2017-08-07< 2.7.3
CVE-2014-9260
Medium 6.1
2018-01-16< 2.9.52
CVE-2017-18032
Medium 6.1
2019-09-03< 2.9.94
CVE-2019-15889
High 8.8
2021-08-05< 3.1.25
CVE-2021-34639
Medium 6.5
2021-08-05< 3.1.25
CVE-2021-34638
Medium 4.8
2021-11-01< 3.2.16
CVE-2021-24773
Medium 5.4
2021-12-27< 3.2.22
CVE-2021-24969
High 8.8
2022-02-21< 3.2.34
CVE-2021-25069
High 7.5
2025-10-03< 3.2.25
CVE-2021-25087