Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
WP-DownloadManager plugin deletes arbitrary files on your server
CVE-2026-2426
Summary
The WP-DownloadManager plugin for WordPress allows attackers to delete any file on your server, including sensitive files like your WordPress configuration file. This can lead to a complete server takeover. Update to the latest version of the plugin to fix this issue.
Original title
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to in...
Original description
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are deleted.
nvd CVSS3.1
6.5
Vulnerability type
CWE-22
Path Traversal
- https://github.com/lesterchan/wp-downloadmanager/commit/d3470a8971d9043438c8aad2...
- https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download...
- https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-man...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f791dd-7c24-45e3-b4f...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026