The vulnerability identified as CVE-2025-15364 affects the codename065 Download Manager plugin for WordPress, present in all versions up to and including 3.3.40. The root cause is a missing integrity check (CWE-353) during the process of updating user account details, specifically passwords. The plugin fails to properly validate the identity of the user requesting the password change, allowing unauthenticated attackers to modify passwords of any user except administrators. This flaw effectively enables privilege escalation through account takeover, as attackers can gain control over legitimate user accounts without needing credentials or user interaction. The CVSS 3.1 base score of 7.3 reflects the vulnerability’s network attack vector, low attack complexity, no privileges required, and no user interaction needed, with impacts on confidentiality, integrity, and availability rated as low to moderate. Although no exploits have been observed in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple users. The absence of patches at the time of reporting necessitates immediate attention to monitoring and mitigation strategies.

This vulnerability can have severe consequences for organizations relying on the codename065 Download Manager plugin. Attackers can take over non-administrative user accounts, potentially leading to unauthorized access to sensitive data, manipulation of user content, or further lateral movement within the WordPress environment. While administrator accounts are protected, compromised user accounts can still disrupt operations, deface websites, or serve as footholds for more sophisticated attacks. The integrity and availability of the affected WordPress sites may be compromised, resulting in reputational damage and operational downtime. Given WordPress’s widespread use globally, the impact could be extensive, particularly for organizations with multiple user roles and collaborative workflows. The lack of authentication and user interaction requirements makes exploitation relatively easy for remote attackers, increasing the urgency of mitigation.

Organizations should immediately audit their WordPress installations to identify the presence of the codename065 Download Manager plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implementing strict access controls and monitoring for unusual password changes or login attempts can help detect exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting password update endpoints may reduce risk. Additionally, enforcing multi-factor authentication (MFA) for all user accounts can limit the impact of compromised credentials. Regular backups and incident response plans should be updated to address potential account takeovers. Once patches become available, prompt application is critical. Developers should also review and enhance input validation and integrity checks in the password update mechanisms to prevent similar issues.