CVE-2025-30910: 
WordPress vulnerability analysis and mitigation

The CVE-2025-30910 is a Path Traversal vulnerability discovered in CreativeMindsSolutions' CM Download Manager WordPress plugin affecting versions through 2.9.6. The vulnerability was disclosed on March 27, 2025, and allows unauthenticated attackers to perform arbitrary file deletion on affected WordPress installations (Patchstack, NVD).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') issue, identified as CWE-22. It has received a CVSS v3.1 base score of 8.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability exists in the deletescreenshot() function, which fails to properly validate file paths (WPScan).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This can lead to remote code execution when critical files such as wp-config.php are deleted. The impact primarily affects the availability of the system, with no direct impact on confidentiality or integrity (WPScan).

The vulnerability has been fixed in version 3.0.0 of the CM Download Manager plugin. Users are strongly advised to update to this version immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).