CVE-2025-13498 is a vulnerability identified in the codename065 Download Manager plugin for WordPress, affecting all versions up to and including 3.3.32. The root cause is a missing authorization and capability check on the AJAX action named wpdm_media_access. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and retrieve sensitive information such as passwords and access control configurations related to protected media attachments. These credentials and settings can then be leveraged to bypass the intended media protection mechanisms, enabling unauthorized downloads of restricted files. The vulnerability is exploitable remotely without user interaction, requiring only authenticated access, which is commonly granted to registered users on WordPress sites. The CVSS v3.1 base score is 4.3 (medium severity), reflecting a low complexity attack vector with limited confidentiality impact and no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability represents a significant risk to the confidentiality of protected media content. The lack of proper authorization checks indicates a design oversight in the plugin's access control implementation. Organizations relying on this plugin should review their user privilege assignments and consider immediate mitigation steps until an official patch is released.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive media files protected by the Download Manager plugin. This could include intellectual property, confidential documents, or other restricted content intended only for authorized users. The breach of confidentiality may result in reputational damage, regulatory non-compliance (e.g., GDPR if personal data is exposed), and potential financial losses. Since the vulnerability requires only Subscriber-level access, attackers could exploit compromised or malicious user accounts to escalate data exposure. Organizations with public-facing WordPress sites that use this plugin are particularly at risk. The impact is primarily on confidentiality, with no direct effect on system integrity or availability. However, the ability to bypass media protection controls undermines trust in the security of digital assets and could facilitate further attacks or data leakage.

1. Immediately restrict or audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access, minimizing the attack surface. 2. Disable or remove the Download Manager plugin if it is not essential to business operations. 3. Monitor WordPress AJAX requests for suspicious activity targeting the wpdm_media_access action, using web application firewalls or custom logging. 4. Implement network-level access controls or IP whitelisting for administrative and authenticated user areas to reduce exposure. 5. Apply virtual patching via security plugins that can intercept and block unauthorized AJAX calls to the vulnerable endpoint. 6. Engage with the plugin vendor or community to obtain or request a security patch and apply it promptly once available. 7. Educate site administrators and users about the risks of privilege escalation and enforce strong authentication policies. 8. Regularly audit protected media files and access logs to detect any unauthorized downloads or data leaks.