{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39676", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.155Z", "datePublished": "2026-04-08T08:30:40.171Z", "dateUpdated": "2026-04-08T17:25:16.453Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "download-manager", "product": "Download Manager", "vendor": "Shahjada", "versions": [{"changes": [{"at": "3.3.53", "status": "unaffected"}], "lessThanOrEqual": "3.3.52", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:41.349Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Download Manager: from n/a through <= 3.3.52.</p>"}], "value": "Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.52."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:40.171Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-51-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Download Manager plugin <= 3.3.52 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:24:27.653288Z", "id": "CVE-2026-39676", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:25:16.453Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Shahjada Download Manager download-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through <= 3.3.52."}], "id": "CVE-2026-39676", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:39.230", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-51-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.52]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Download Manager", "source": "cna", "vendor": "Shahjada"}, "product": "download_manager", "vendor": "shahjada"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T20:39:28.931188+00:00", "value": {"mitigation_remediation": ["Update the Download Manager plugin to version 3.3.53 or later.", "Confirm the plugin version on the WordPress admin dashboard.", "If an immediate update is not possible, restrict access to protected files using the plugin\u2019s access\u2011control settings or add rules to block unauthenticated requests via .htaccess."], "summary": {"action": "Patch Immediately", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The affected product is the Shahjada Download Manager plugin for WordPress, versions up through 3.3.52. Site administrators using these versions should verify their plugin version and elevation of privileges is not impacted.", "description_and_impact": "The vulnerability originates from a missing authorization check within the Shahjada Download Manager plugin, allowing an attacker to access files that should be restricted. This flaw permits unauthorized download of protected content, compromising the confidentiality of data held on the WordPress site. The impact is limited to file access; the attacker cannot modify the site or execute arbitrary code, but can retrieve information not intended for public consumption.", "risk_and_exploitability": "With a CVSS score of 5.3, the vulnerability presents a moderate severity risk. The EPSS score is below 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. An attacker can reach the affected functionality via the web interface of the WordPress site, typically by crafting a URL to a protected file without needing prior authentication. As such, the recommended approach is to apply the vendor patch promptly; at present there is no official workaround."}}}}, "created": "2026-04-08T19:27:56.006053+00:00", "updated": "2026-04-09T08:28:07.926043+00:00", "vendors": ["shahjada", "shahjada$PRODUCT$download_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}