CVE-2025-3404 is a path traversal vulnerability affecting the Download Manager plugin for WordPress developed by codename065. This vulnerability exists in all versions up to and including 3.3.12 due to insufficient validation of file paths in the savePackage function. Specifically, the plugin fails to properly restrict pathname inputs, allowing an authenticated attacker with Author-level privileges or higher to manipulate file paths and delete arbitrary files on the server. This improper limitation of pathname (CWE-22) can be exploited to remove critical files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deletion of such files can lead to remote code execution (RCE) by enabling attackers to upload malicious files or disrupt normal WordPress operations, potentially allowing full server compromise. The vulnerability requires authentication at the Author level, which is a moderately privileged role in WordPress, making exploitation feasible in environments where user accounts are not tightly controlled. Although no public exploits have been reported yet, the vulnerability's nature and impact make it a significant risk for WordPress sites using this plugin. The lack of a patch at the time of reporting further increases exposure. The vulnerability affects the confidentiality, integrity, and availability of the affected systems by enabling unauthorized file deletions and potential server takeover.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress websites with the Download Manager plugin installed. Successful exploitation can lead to data breaches through exposure of sensitive configuration files, service disruption by deleting essential files, and full system compromise via remote code execution. Organizations in sectors such as e-commerce, government, healthcare, and finance, which often use WordPress for public-facing websites or internal portals, could face operational downtime, reputational damage, and regulatory penalties under GDPR if personal data is compromised. The requirement for Author-level access means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. Additionally, the lack of a patch means organizations must rely on mitigation strategies until an official fix is released. The impact is amplified for organizations with large WordPress deployments or those with less stringent user access controls.

1. Immediately audit user roles and permissions within WordPress to ensure that only trusted users have Author-level or higher access. Remove or downgrade unnecessary privileged accounts. 2. Implement strict monitoring and logging of file deletion activities on the server to detect suspicious behavior early. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the Download Manager plugin endpoints. 4. Restrict file system permissions for the web server user to limit the ability to delete or modify critical files such as wp-config.php. 5. Temporarily disable or uninstall the Download Manager plugin if it is not essential, or replace it with alternative plugins that do not have this vulnerability. 6. Regularly back up website files and databases to enable rapid restoration in case of file deletion or compromise. 7. Stay alert for official patches or updates from codename065 and apply them promptly once available. 8. Conduct internal security awareness training emphasizing the risks of privilege misuse and the importance of strong authentication controls.