CVE-2025-4799: 
WordPress vulnerability analysis and mitigation

The WP-DownloadManager plugin for WordPress contains a vulnerability (CVE-2025-4799) that was disclosed on June 11, 2025. The vulnerability affects all versions up to and including 1.68.10, allowing arbitrary file deletion due to insufficient directory restrictions. This security issue impacts WordPress installations with the WP-DownloadManager plugin installed (NVD, Wiz).

The vulnerability stems from a lack of proper restrictions on the directory from which files can be deleted. It has been classified as CWE-36 (Absolute Path Traversal) and assigned a CVSS v3.1 Base Score of 7.2 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, AttackerKB).

When exploited, this vulnerability allows authenticated attackers with Administrator-level access to delete arbitrary files on the server. The impact is particularly severe as it can lead to remote code execution when critical files, such as wp-config.php, are deleted. The vulnerability becomes more dangerous when combined with CVE-2025-4798, as it enables the deletion of any file within the WordPress root directory (NVD).

The vulnerability has been patched in version 1.68.11 of the WP-DownloadManager plugin. The update includes security improvements that ensure the Download Path starts only with the wp-content folder for additional security (WordPress Changeset).