Security Issue in the “Download Manager Free” Plugin

Viewing 6 posts - 1 through 6 (of 6 total)


Hello Download nManager Free Support Team,

I hope you are well. I would like to report a security issue that I have encountered in the latest version of the “Download nManager Free” plugin (version 3.2.76) which I recently updated on my WordPress website. This problem seems to be a vulnerability that allows attackers to access sensitive information without authentication, which is extremely concerning for the security of my website.

The vulnerability is described as follows:

[ Download Manager Pro < 6.3.0 – Unauthenticated Sensitive Information Disclosure


The plugin leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.

Proof of Concept

– Create a password protected package containing one or more files.
– Navigate to the download page of the package (e.g. /download/package1)
– Inspect the “Download” button beside one of the packaged files. The HTML should look like this:

class=”inddl btn btn-primary btn-sm”
<i class=”fa fa-download”></i>

– Note the wpdmdl and ind URL parameters for later.
– Send a POST request to /wp-json/wpdm/validate-filepass:

fetch(“/wp-json/wpdm/validate-filepass”, {
“headers”: {
“accept”: “*/*”,
“content-type”: “application/x-www-form-urlencoded; charset=UTF-8”,
“body”: “”,
“method”: “POST”,
“credentials”: “include”
}).then(response ► response.text()).then(text ► console.log(text));

– The response will look like the following:


– Construct a download URL as follows, using the above _wpdmkey parameter, as well as the wpdmdl and ind parameters from above:

– See that the file may be download from that URL, without any knowledge of its password. ]

Despite having updated the plugin to the latest available version (version 3.2.76), this issue still persists on my website. As a result, I am very concerned about the security of my site and the data of my users.

I kindly request your assistance and guidance in addressing this security issue effectively. Can you please confirm if you are aware of this vulnerability and if you are working on a solution? If so, when can we expect an update that addresses this problem?

The security of my website is of utmost importance, and I would appreciate any help you can provide to resolve this issue urgently. If additional information or access to my website is needed to investigate this problem, I am willing to provide it securely.

I look forward to your response and appreciate your attention to this critical security matter.

I’m sorry if my English is poor, I am Spanish and I am using ChatGPT to translate 🙂

Thank you and regards,



Don’t worry, the issue was with the pro version Download Manager Pro. And it is already fixed.



I understand, but I still get the message and no matter how much I update the plugin, the message still doesn’t go away.



You need to contact your hosting support for that, as it is a false positive. However, if it is causing by any other security plugin, you need to deactivate it or contact their author.



Thank you very much for your answers, I will give it a try. Best regards!



okay, let me know if you need any further assistance.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.