{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T07:59:03.236","vulnerabilities":[{"cve":{"id":"CVE-2026-2426","sourceIdentifier":"security@wordfence.com","published":"2026-02-18T11:16:32.603","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can lead to remote code execution when critical files like wp-config.php are deleted."},{"lang":"es","value":"El plugin WP-DownloadManager para WordPress es vulnerable a salto de ruta en todas las versiones hasta la 1.69, inclusive, a través del parámetro 'file' en la funcionalidad de eliminación de archivos. Esto se debe a una validación insuficiente de las rutas de archivo proporcionadas por el usuario, lo que permite secuencias de salto de directorio. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador y superior, eliminen archivos arbitrarios en el servidor, lo que puede conducir a ejecución remota de código cuando se eliminan archivos críticos como wp-config.php."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.2}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"references":[{"url":"https://github.com/lesterchan/wp-downloadmanager/commit/d3470a8971d9043438c8aad281cf37d14fefa208","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/wp-downloadmanager/tags/1.69/download-manager.php#L215","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php#L215","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a3f791dd-7c24-45e3-b4f6-b8d7e594c568?source=cve","source":"security@wordfence.com"}]}}]}