{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4057", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T16:54:21.437Z", "datePublished": "2026-04-10T01:24:58.764Z", "dateUpdated": "2026-04-10T01:24:58.764Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:58.764Z"}, "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.51", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL."}], "title": "Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237"}, {"url": "https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51&new_path=%2Fdownload-manager/tags/3.3.52"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Or Benit"}], "timeline": [{"time": "2026-03-12T17:09:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T12:00:41.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL."}], "id": "CVE-2026-4057", "lastModified": "2026-04-10T02:16:03.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:03.240", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51&new_path=%2Fdownload-manager/tags/3.3.52"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.3.51]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Download Manager", "source": "cna", "vendor": "codename065"}, "product": "download_manager_plugin", "vendor": "codename065"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T02:22:47.809566+00:00", "value": {"mitigation_remediation": ["Update the Download Manager plugin to version 3.3.52 or later.", "If an immediate update is not possible, restrict Contributor-level users from accessing media protection functions by adjusting role capabilities or disabling the affected endpoints.", "After updating or restricting access, review media files that had been made public to ensure they are still protected as intended."], "summary": {"action": "Immediate Patch", "impact": "Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Download Manager plugin for WordPress up to and including version 3.3.51. Affected implementations belong to the codename065 vendor and operate as part of a WordPress site\u2019s media library.", "description_and_impact": "A missing capability check in the MakeMediaPublic and MakeMediaPrivate functions of the Download Manager plugin allows any authenticated user with Contributor-level access or higher to remove protection metadata from media files they do not own. The plugin only verifies the edit_posts capability, ignoring ownership checks, and the operations are performed before a higher-level admin check. This can cause files that should remain private to become publicly accessible via their direct URLs, exposing potentially sensitive content.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and no EPSS score is available. The attack requires authenticated access with Contributor or greater role, leveraging the plugin\u2019s public endpoints. Although the CVE is not listed in KEV, the direct nature of the exploit and the lack of restriction on the affected functions increase the likelihood of use in environments where contributors have access. Organizations should consider the potential for unintended data exposure and the ease of exploitation when assessing risk."}}}}, "created": "2026-04-10T08:36:12.149850+00:00", "updated": "2026-04-10T09:27:11.518562+00:00", "vendors": ["codename065", "codename065$PRODUCT$download_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}