CVE-2025-15364 is a vulnerability classified under CWE-353 (Missing Support for Integrity Check) found in the codename065 Download Manager plugin for WordPress. This plugin, widely used for managing file downloads, suffers from a critical security flaw in all versions up to and including 3.3.40. The vulnerability arises because the plugin fails to properly validate a user's identity before allowing updates to sensitive account details such as passwords. Specifically, unauthenticated attackers can exploit this flaw to change the passwords of any user account except administrators. This lack of proper authentication checks enables privilege escalation via account takeover, as attackers can gain control over user accounts by resetting their passwords without any prior authentication or user interaction. The CVSS v3.1 base score is 7.3, indicating a high severity level, with attack vector being network-based, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability's characteristics make it a prime target for attackers seeking to compromise WordPress sites that use this plugin. The absence of patch links suggests that a fix may not yet be publicly available, increasing the urgency for administrators to monitor updates or apply workarounds. The vulnerability could be leveraged to gain unauthorized access to user accounts, potentially leading to data theft, unauthorized content distribution, or further lateral movement within compromised environments.

For European organizations, this vulnerability poses a significant risk especially for those relying on WordPress sites with the codename065 Download Manager plugin installed. Successful exploitation can lead to unauthorized access to user accounts, resulting in potential data breaches, loss of user trust, and disruption of services. Confidential information stored or accessible via compromised accounts could be exposed or manipulated. The integrity of user data and site content could be undermined, and availability might be affected if attackers use compromised accounts to deploy malicious payloads or disrupt normal operations. Organizations in sectors such as e-commerce, media, education, and government that use this plugin are particularly vulnerable. The threat is exacerbated by the fact that no administrator accounts can be directly targeted, but attackers may still leverage non-admin accounts to escalate privileges or conduct phishing and social engineering attacks. The lack of known exploits in the wild currently provides a window for mitigation, but the ease of exploitation means rapid action is necessary to prevent potential attacks.

1. Immediately audit WordPress sites for the presence of the codename065 Download Manager plugin and identify affected versions (up to 3.3.40). 2. Monitor official vendor channels and WordPress plugin repositories for patches or updates addressing CVE-2025-15364 and apply them as soon as they become available. 3. In the absence of an official patch, implement web application firewall (WAF) rules to block unauthorized password change requests targeting the plugin’s endpoints. 4. Restrict access to password update functionalities by IP whitelisting or requiring additional authentication layers such as multi-factor authentication (MFA) for all user accounts. 5. Conduct regular user account audits to detect suspicious password changes or unauthorized access attempts. 6. Educate users about the risk of phishing and encourage strong, unique passwords to limit the impact of compromised accounts. 7. Consider temporarily disabling or replacing the plugin with a more secure alternative until a patch is available. 8. Implement logging and monitoring to detect anomalous activities related to user account modifications.