CVE-2026-2571 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the codename065 Download Manager plugin for WordPress, affecting all versions up to and including 3.3.49. The root cause is a missing capability check in the 'reviewUserStatus' function, which fails to verify whether the requesting user has sufficient privileges before disclosing sensitive user data. This flaw allows any authenticated user with at least Subscriber-level access to retrieve sensitive information about any user on the site, including email addresses, display names, and registration dates. The vulnerability is remotely exploitable over the network without requiring user interaction. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the confidentiality impact and the low complexity of exploitation. The vulnerability does not affect data integrity or system availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The exposure of personal user information can facilitate further attacks such as phishing, social engineering, or targeted account compromise. The plugin is widely used in WordPress environments, which are popular globally, increasing the potential attack surface. The vulnerability highlights the importance of proper capability checks in plugin development to prevent unauthorized data disclosure.

The primary impact of CVE-2026-2571 is the unauthorized disclosure of sensitive user information, including email addresses, display names, and registration dates. This exposure can lead to privacy violations and enable attackers to conduct targeted phishing campaigns, social engineering attacks, or identity theft. Although the vulnerability does not directly compromise system integrity or availability, the leakage of personal data can undermine user trust and violate data protection regulations such as GDPR or CCPA, potentially resulting in legal and financial repercussions for affected organizations. Since exploitation requires only Subscriber-level access, attackers can leverage compromised or low-privilege accounts to escalate their information gathering. Organizations with large user bases or sensitive user data are particularly at risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation. Overall, the vulnerability poses a moderate risk to confidentiality and privacy, with potential cascading effects on organizational reputation and compliance.

1. Immediately restrict user roles and permissions to the minimum necessary, especially limiting Subscriber-level accounts from untrusted users. 2. Monitor and audit user activity logs for unusual access patterns to user data, focusing on calls to functions related to 'reviewUserStatus'. 3. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the vulnerable function or plugin endpoints. 4. If possible, disable or remove the Download Manager plugin until a security patch is released. 5. Follow the plugin vendor’s updates closely and apply official patches as soon as they become available. 6. Consider custom patching or code review to add capability checks on the 'reviewUserStatus' function to ensure only authorized roles can access sensitive information. 7. Educate site administrators and users about the risks of phishing and social engineering that may arise from leaked user data. 8. Regularly back up website data and configurations to enable quick recovery if exploitation leads to further compromise. 9. Employ security plugins that can detect and alert on unauthorized data access attempts within WordPress environments.