CVE-2025-15364
Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePasswordThe Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
We have discovered 26,379 live websites that are affected by CVE-2025-15364.
Affected Software
| Product |  Download Manager |
| Category | Wordpress Plugins |
| Vulnerable Domains | 26,379 live websites (76% of Download Manager install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 236 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-353 Missing Support for Integrity CheckDetails
- Published - Jan 6, 2026
- Updated - Jan 6, 2026
Credits
- Drew Webber (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-15364 United States | 5,171 websites |
 Germany | 3,279 websites |
 Japan | 3,247 websites |
 Italy | 2,223 websites |
 France | 1,283 websites |
 GB | 1,025 websites |
 Spain | 816 websites |
 Netherlands | 613 websites |
 Poland | 534 websites |
 Brazil | 500 websites |
Website Distribution by TLD
Number of websites using CVE-2025-15364| .com | 8,789 websites |
| .org | 2,130 websites |
| .de | 2,106 websites |
| .it | 1,548 websites |
| .net | 830 websites |
| .jp | 753 websites |
| .fr | 553 websites |
| .nl | 528 websites |
| .co.uk | 447 websites |
| .co.jp | 422 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-15364
Top websites that are affected by CVE-2025-15364. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.pl | Poland | *,*** | |
| *******.nagoya | Japan | *,*** | |
| ****.pt |  Portugal | **,*** | |
| ******.com | United States | **,*** | |
| *****.org | United States | **,*** | |
| **********.com | United States | **,*** | |
| **********.com |  Taiwan | **,*** | |
| ***.**********.**.jp | Japan | **,*** | |
| *********.com | United States | **,*** | |
| **********.com | Japan | **,*** |
FAQ
CVE-2025-15364 is Missing Support for Integrity Check in Download Manager
A total of 26,379 websites have been identified as vulnerable to CVE-2025-15364, based on global website indexing conducted by WebTechSurvey.
The Download Manager is affected by the CVE-2025-15364 vulnerability.
Download Manager versions up to and including 3.3.40 are vulnerable to CVE-2025-15364.