CVE-2025-15364 Overview
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This vulnerability stems from improper validation of user identity prior to updating user details such as passwords. Unauthenticated attackers can exploit this flaw to change user passwords (excluding administrators) and subsequently gain unauthorized access to their accounts.
Critical Impact
Unauthenticated attackers can take over non-administrator user accounts by changing their passwords without proper authorization, potentially leading to data theft, unauthorized actions, and further compromise of WordPress sites.
Affected Products
- WordPress Download Manager plugin versions up to and including 3.3.40
- WordPress sites utilizing the vulnerable Download Manager plugin
- Any web application integrating the affected plugin versions
Discovery Timeline
- 2026-01-06 - CVE CVE-2025-15364 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-15364
Vulnerability Analysis
This vulnerability represents a classic example of missing origin validation (CWE-353), where the application fails to verify that a request to modify user data originates from an authorized source. The Download Manager plugin does not properly authenticate the user making a password change request, allowing unauthenticated attackers to modify credentials for non-administrator accounts.
The attack is network-accessible without requiring authentication or user interaction. While the vulnerability does not affect administrator accounts directly, compromising regular user accounts can serve as a stepping stone for further attacks, including social engineering, data exfiltration, or leveraging additional vulnerabilities to escalate privileges further.
Root Cause
The root cause lies in the plugin's Crypt.php component, specifically in how it handles user identity validation during account updates. The plugin accepts password change requests without verifying that the requester has the authority to modify the target account. This missing validation check allows any unauthenticated user to initiate password changes for other users by crafting malicious requests.
Attack Vector
The attack can be executed remotely over the network. An attacker can send specially crafted HTTP requests to the WordPress site running the vulnerable plugin. By manipulating the request parameters, they can target specific user accounts and reset their passwords without proper authorization.
The exploitation flow typically involves:
- Identifying a WordPress site running the vulnerable Download Manager plugin
- Enumerating user accounts through various WordPress reconnaissance techniques
- Crafting a malicious request to the password change functionality
- Bypassing the identity validation to set a new password for the target user
- Logging in with the compromised credentials
For technical implementation details, refer to the WordPress Plugin Code Review which shows the affected code path.
Detection Methods for CVE-2025-15364
Indicators of Compromise
- Unexpected password change notifications or reset emails for user accounts
- Authentication logs showing successful logins from unusual IP addresses or locations for non-administrator accounts
- Multiple failed login attempts followed by successful authentication with new credentials
- Suspicious HTTP requests targeting Download Manager plugin endpoints related to user management
Detection Strategies
- Monitor WordPress authentication logs for unusual password change activity, particularly for accounts that haven't recently requested resets
- Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to Download Manager plugin endpoints
- Set up alerts for multiple user account modifications occurring in short timeframes
- Review access logs for requests targeting /wp-content/plugins/download-manager/ paths with user modification parameters
Monitoring Recommendations
- Enable WordPress audit logging to track all user account modifications and their sources
- Configure SIEM rules to correlate password changes with subsequent login activity from new IP addresses
- Monitor for enumeration activity that may precede exploitation attempts
- Implement real-time alerting for any unauthenticated requests attempting to modify user data
How to Mitigate CVE-2025-15364
Immediate Actions Required
- Update the Download Manager plugin to a version higher than 3.3.40 immediately
- Review recent user account activity for signs of unauthorized password changes
- Force password resets for all non-administrator accounts as a precautionary measure
- Temporarily disable the Download Manager plugin if an immediate update is not possible
Patch Information
The vulnerability has been addressed in plugin versions released after 3.3.40. The patch implements proper user identity validation before allowing password modifications. Details of the fix can be reviewed in the WordPress Change Set 3431915. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the Download Manager plugin until the patch can be applied
- Implement strict WAF rules to block unauthenticated requests to user management endpoints
- Enable additional authentication requirements such as multi-factor authentication (MFA) for all user accounts
- Restrict access to WordPress admin and plugin directories at the web server level using IP whitelisting where feasible
# Temporary workaround: Disable plugin via WP-CLI
wp plugin deactivate download-manager
# After updating, re-enable with
wp plugin activate download-manager
# Force password reset for all non-admin users (use with caution)
wp user reset-password $(wp user list --role=subscriber,editor,author,contributor --field=ID)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
