CVE-2025-12177

Medium CVSS: 5.3

The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.

Vendor

Product

CWE

CWE-321

Yayın Tarihi

2025-11-08 04:15:45

Güncelleme

2025-11-12 16:19:59

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-321 MEDIUM 2025

Referanslar

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3390068%40download-manager&new=3390068%40download-manager&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/17d5253c-5000-40c7-a7fd-f75d4badfb5e?source=cve