CVE-2025-12177: 
WordPress vulnerability analysis and mitigation

The Download Manager plugin for WordPress contains a vulnerability (CVE-2025-12177) discovered in versions up to and including 3.3.30. The vulnerability stems from the use of a hardcoded Cron key in the deleteExpired() and clearTempDataCPCron() functions. This security flaw was disclosed on November 7, 2025, and affects the WordPress Download Manager plugin (NVD, Rapid7).

The vulnerability is classified as CWE-321 (Use of Hard-coded Cryptographic Key) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to trigger cron jobs within the plugin, potentially leading to the deletion of expired posts and clearing of cache data. This unauthorized access could result in unintended data manipulation and potential disruption of website functionality (NVD).

The vulnerability has been addressed in version 3.3.31 of the Download Manager plugin, which includes improved cron job functions. Users are advised to update to this latest version to mitigate the security risk (WordPress Plugin Repository).