CVE-2026-4057 Overview
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic() and makeMediaPrivate() functions in all versions up to, and including, 3.3.51. This vulnerability stems from the functions only checking for edit_posts capability without verifying post ownership via current_user_can('edit_post', $id), combined with destructive operations executing before the admin-level check in mediaAccessControl(). This allows authenticated attackers with Contributor-level access and above to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.
Critical Impact
Authenticated attackers with minimal privileges can expose protected media files by stripping security metadata, potentially leading to unauthorized access to sensitive documents and downloads managed by the Download Manager plugin.
Affected Products
- Download Manager plugin for WordPress versions up to and including 3.3.51
- WordPress installations using vulnerable Download Manager versions
- Sites with contributor-level or higher user accounts
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-4057 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-4057
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization) and represents a Broken Access Control flaw in the WordPress Download Manager plugin. The core issue lies in the improper implementation of capability checks within the media access control functionality.
The vulnerable functions makeMediaPublic() and makeMediaPrivate() perform destructive operations on media file metadata before adequate authorization verification occurs. While the code does check for the edit_posts capability, this generic WordPress capability is insufficient for protecting resources owned by other users. The proper security control would require verifying ownership using current_user_can('edit_post', $id) which validates both capability and ownership in a single check.
The execution flow allows the destructive metadata stripping operations to complete before the admin-level verification in mediaAccessControl() has a chance to reject unauthorized requests. This race between privilege verification and data modification creates the security gap that attackers can exploit.
Root Cause
The root cause is a missing ownership verification check in the makeMediaPublic() and makeMediaPrivate() functions within the MediaAccessControl.php file. The functions rely solely on the generic edit_posts capability which WordPress grants to Contributors and above, rather than implementing proper resource-level authorization that verifies the requesting user owns the specific media file being modified. Additionally, the sequence of operations places security checks after destructive actions have already been executed.
Attack Vector
This vulnerability is exploitable over the network by any authenticated user with at least Contributor-level access to the WordPress installation. The attack requires no user interaction and targets the plugin's AJAX handlers for media access control.
An attacker with Contributor access can craft requests to the makeMediaPublic() function targeting media files owned by administrators or other users. By specifying the target media file ID, the attacker can strip protection metadata including:
- Password protection settings
- Access restriction rules
- Private file flags
Once the protection is removed, the media file becomes accessible via its direct URL to anyone, bypassing intended access controls. For technical details on the vulnerable code paths, see the MediaAccessControl.php Line 237 and Line 257 references.
Detection Methods for CVE-2026-4057
Indicators of Compromise
- Unexpected changes to media file protection settings in Download Manager
- Protected files suddenly becoming publicly accessible
- Audit log entries showing media access modifications by non-owner users
- AJAX requests to Download Manager endpoints from low-privilege accounts targeting high-value file IDs
Detection Strategies
- Monitor WordPress audit logs for makeMediaPublic and makeMediaPrivate function calls from Contributor-level accounts
- Implement file integrity monitoring on Download Manager protected file metadata
- Review user activity logs for suspicious patterns of media access modifications across multiple files not owned by the user
- Deploy Web Application Firewall (WAF) rules to detect anomalous AJAX request patterns to Download Manager endpoints
Monitoring Recommendations
- Enable comprehensive WordPress audit logging for the Download Manager plugin
- Set up alerts for changes to protected media file status, especially when modified by non-administrator users
- Regularly audit user roles and remove unnecessary Contributor-level access
- Monitor direct URL access to previously protected media files
How to Mitigate CVE-2026-4057
Immediate Actions Required
- Update Download Manager plugin to version 3.3.52 or later immediately
- Audit all protected media files to verify protection settings remain intact
- Review user accounts with Contributor-level access or higher for any suspicious activity
- Temporarily restrict user registration and role assignments until patching is complete
Patch Information
The vulnerability has been addressed in Download Manager version 3.3.52. The patch implements proper ownership verification using current_user_can('edit_post', $id) and ensures authorization checks occur before any destructive operations. The fix can be reviewed in the WordPress Changeset #3492316 and the full version comparison between 3.3.51 and 3.3.52. Additional details are available in the Wordfence vulnerability report.
Workarounds
- Restrict Contributor and Author role capabilities using a role management plugin until patching is possible
- Implement server-level access controls for protected media directories independent of WordPress
- Consider temporarily disabling the Download Manager plugin if critical protected files are at risk
- Use additional security plugins to monitor and restrict AJAX requests to sensitive endpoints
# Verify Download Manager plugin version
wp plugin list --name=download-manager --fields=name,version,update_version
# Update Download Manager to patched version
wp plugin update download-manager
# Audit recent changes to media protection settings
wp db query "SELECT * FROM wp_postmeta WHERE meta_key LIKE '%wpdm%' ORDER BY meta_id DESC LIMIT 50"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
