CVE-2025-30910 identifies a path traversal vulnerability in the CreativeMindsSolutions CM Download Manager plugin, affecting versions up to and including 2.9.6. Path traversal vulnerabilities occur when an application improperly restricts file path inputs, allowing attackers to navigate outside the intended directory structure. In this case, the vulnerability enables an attacker to craft malicious requests that manipulate file paths to access files and directories beyond the download manager's restricted scope. This can lead to unauthorized reading or modification of sensitive files on the server hosting the plugin. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. Although no public exploits have been reported yet, the flaw poses a significant risk due to the widespread use of CM Download Manager in WordPress environments for managing downloadable content. The lack of a CVSS score means severity must be inferred from the nature of the vulnerability, which impacts confidentiality and integrity, with potential availability impact if critical system files are accessed or altered. The vulnerability was reserved in late March 2025 and published in early April 2025, indicating recent discovery and disclosure. No patches or mitigations are currently linked, so organizations must be vigilant for vendor updates and consider interim controls.

The primary impact of this vulnerability is unauthorized access to sensitive files on servers running the affected CM Download Manager versions. Attackers exploiting this flaw can read confidential configuration files, source code, or other sensitive data, potentially leading to information disclosure. They may also modify files, which could result in defacement, malware injection, or disruption of service. This compromises the confidentiality, integrity, and potentially availability of affected systems. Organizations relying on CM Download Manager for distributing digital content or managing downloads face risks of data breaches and reputational damage. The ease of exploitation without authentication increases the threat level, making automated attacks feasible. If exploited in high-value environments such as e-commerce, government, or critical infrastructure websites, the consequences could be severe, including regulatory penalties and operational disruption.

Organizations should immediately monitor CreativeMindsSolutions announcements for patches addressing CVE-2025-30910 and apply them promptly once available. Until a patch is released, implement strict input validation on all file path parameters to block traversal sequences such as '../'. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the CM Download Manager endpoints. Restrict file system permissions to limit the download manager's access only to necessary directories, preventing unauthorized file reads or writes outside its scope. Conduct thorough audits of server logs to identify suspicious requests attempting directory traversal. Consider temporarily disabling the CM Download Manager plugin if feasible, especially on high-risk or critical systems. Educate development and security teams about this vulnerability to ensure rapid response and remediation.