CVE-2025-3404 is a path traversal vulnerability classified under CWE-22, found in the Download Manager plugin developed by codename065 for WordPress. The flaw exists in the savePackage function, which fails to properly validate file paths before performing file deletion operations. This improper limitation allows authenticated users with Author-level access or higher to craft malicious requests that delete arbitrary files on the hosting server. Because WordPress sites often rely on critical configuration files such as wp-config.php, deleting these files can disrupt site functionality or enable attackers to execute arbitrary code remotely by forcing the system into insecure states or triggering fallback behaviors. The vulnerability affects all versions up to and including 3.3.12 of the plugin. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation make it a significant risk for WordPress sites using this plugin. The vulnerability was reserved and published in April 2025, with enrichment from CISA, underscoring its importance. No official patches are linked yet, so mitigation relies on access control, monitoring, and possibly disabling the plugin until a fix is available.

The impact of CVE-2025-3404 is substantial for organizations running WordPress sites with the vulnerable Download Manager plugin installed. Successful exploitation allows attackers with Author-level privileges to delete any file on the server, which can lead to site downtime, data loss, and potential remote code execution. This compromises the confidentiality, integrity, and availability of the affected systems. Attackers could delete configuration files, critical plugin or theme files, or other sensitive data, potentially gaining full control over the website or server environment. The vulnerability could be leveraged to disrupt business operations, deface websites, or use compromised servers as a foothold for further attacks within an organization's network. Given WordPress's widespread use globally, the threat could affect a large number of websites, including those of small businesses, enterprises, and government entities. The requirement for authenticated access limits exploitation to insiders or compromised accounts but does not eliminate risk, especially in environments with multiple content creators or contributors.

1. Immediately restrict Author-level and higher user privileges to trusted individuals only, minimizing the risk of insider threats. 2. Monitor and audit user activities, especially file deletion requests and plugin usage logs, to detect suspicious behavior early. 3. Disable or uninstall the Download Manager plugin until an official patch or update is released by codename065. 4. Implement web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the savePackage function. 5. Employ file integrity monitoring solutions to alert on unexpected deletions or modifications of critical files like wp-config.php. 6. Enforce strict file system permissions on the server to limit the plugin’s ability to delete sensitive files outside its designated directories. 7. Regularly back up website files and databases to enable rapid recovery in case of successful exploitation. 8. Stay informed of vendor announcements and apply patches promptly once available. 9. Consider isolating WordPress instances in containerized or sandboxed environments to reduce the blast radius of potential attacks.