CVE-2025-13498 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Download Manager plugin developed by codename065 for WordPress. The issue exists in all versions up to and including 3.3.32 due to the absence of proper authorization and capability checks on the AJAX action named wpdm_media_access. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this AJAX endpoint and retrieve sensitive information such as passwords and access control settings related to protected media attachments. These credentials can then be leveraged to bypass media protection mechanisms, enabling unauthorized downloads of restricted files. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), but privileges are required (PR:L). The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability poses a risk primarily to websites using the affected plugin, especially those relying on media protection features to restrict access to sensitive or proprietary content.

The primary impact of CVE-2025-13498 is the unauthorized disclosure of sensitive information, specifically passwords and access control settings for protected media files. This breach of confidentiality can lead to unauthorized access and downloading of restricted media content, potentially exposing proprietary, confidential, or sensitive data. For organizations, this could result in intellectual property theft, loss of competitive advantage, or exposure of sensitive client or internal information. While the vulnerability does not affect data integrity or system availability, the compromise of protected media undermines trust in the website's security controls. Attackers with low-level authenticated access (Subscriber role) can exploit this flaw, increasing the risk from insider threats or compromised low-privilege accounts. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed. Organizations relying on this plugin for media protection should consider the risk significant enough to warrant prompt mitigation.

To mitigate CVE-2025-13498, organizations should first verify if they are using the codename065 Download Manager plugin version 3.3.32 or earlier. If so, they should immediately upgrade to a patched version once available. In the absence of an official patch, administrators can implement temporary access controls by restricting Subscriber-level users from accessing the wpdm_media_access AJAX action, either through custom code or security plugins that enforce granular capability checks. Additionally, auditing user roles and minimizing the number of users with Subscriber or higher privileges can reduce the attack surface. Employing web application firewalls (WAFs) to monitor and block suspicious AJAX requests targeting wpdm_media_access may provide interim protection. Regularly monitoring logs for unusual access patterns to media files or AJAX endpoints is recommended. Finally, organizations should follow vendor advisories closely for updates and apply patches promptly when released.