Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress Security: Serious Vulnerability in WordPress Download Manager

This entry was posted in WordPress Security on December 4, 2014 by Mark Maunder   8 Replies

There is a serious vulnerability in the WordPress Download Manager plugin that allows a remote attacker to upload malicious scripts to your website, gain administrative access and modify passwords.

The vulnerability exists in versions of WordPress Download Manager older than 2.7.5. The Changelog confirms this has been fixed as of version 2.7.5.

The Problem:

WP Download manager was allowing unauthenticated ajax calls to execute arbitrary functions. This would allow an attacker to upload arbitrary files and perform a variety of other malicious tasks.

What to do:

Upgrade to WordPress Download Manager version 2.7.5 which is the newest version at the time of writing. The author has also confirmed that the newest version of WP Download Manager Pro has also been fixed.

Please spread the word in the WP community to ensure anyone using this plugin upgrades to the newest version promptly.


Did you enjoy this post? Share it!

8 Comments on "WordPress Security: Serious Vulnerability in WordPress Download Manager"

Priya December 4, 2014 at 11:40 pm


Matt December 4, 2014 at 11:56 pm

Thank you so much!

Roberto Lopez December 5, 2014 at 7:33 am

Wordfence Thanks!!!

Jim December 5, 2014 at 9:33 am


These near-constant security holes are souring me on continuing to recommend Wordpress. Just ran into an issue where a family member's web site was hacked because their premium theme depended upon another premium plugin, revslider.

Peter Tonkin December 5, 2014 at 2:49 pm

Hi Guys. It would look as if my site has been hacked in this way. I have lost all access through two different admin passwords and if i check my error-log file it seems to have problems with the database.
There are some slight changes to the home page but other than that I cant see anything else.
Is there anyway of fixing this or do I have to go back to a backup before it occurred.


tigatitik December 9, 2014 at 6:08 pm

Thanks wordfence

liez June 24, 2015 at 5:52 pm

thanks wordfance, keep going!

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates