{"id":33857,"date":"2025-04-29T23:02:22","date_gmt":"2025-04-29T23:02:22","guid":{"rendered":""},"modified":"2025-09-08T10:19:24","modified_gmt":"2025-09-08T16:19:24","slug":"cve-2025-3404-wordpress-download-manager-arbitrary-file-deletion-vulnerability","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-3404-wordpress-download-manager-arbitrary-file-deletion-vulnerability\/","title":{"rendered":"<strong>CVE-2025-3404: WordPress Download Manager Arbitrary File Deletion Vulnerability<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-3404 is a critical vulnerability in the Download Manager plugin for WordPress, affecting all versions up to and including 3.3.12. This vulnerability can lead to arbitrary file deletion, potentially rendering a website non-functional or even allowing an attacker to execute remote code. This advisory outlines the specifics of the vulnerability, who it affects, its potential consequences, and how to mitigate it. As WordPress is widely used across the internet, this <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32849-vulnerability-in-telecontrol-server-basic-leads-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"39541\">vulnerability carries significant risk for unpatched systems<\/a>.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-3404<br \/>\nSeverity: High (CVSS: 8.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: High (Author-level access and above)<br \/>\nUser Interaction: Required<br \/>\nImpact: Potential <a href=\"https:\/\/www.ameeba.com\/blog\/yale-new-haven-health-system-data-breach-a-comprehensive-analysis-of-a-cybersecurity-breach-impacting-5-5-million-patients\/\"  data-wpil-monitor-id=\"39542\">system compromise or data<\/a> leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-2058453779\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 720px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 22px; font-weight: 600; display: flex; align-items: center; letter-spacing: -0.02em;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 10px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 42px; height: 42px;\" \/>\r\n    <\/a>\r\n    Share secrets securely\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 14px; color: #d1d5db;\">\r\n    Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 18px; color: #a1a1aa;\">\r\n    Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 24px; color: #e4e4e7;\">\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Encrypted identity<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Private Spaces for organizations and teams<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 End-to-end encrypted chat, calls, files, and notes<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Sensitive AI work and protected collaboration<\/li>\r\n    <li>\u2022 Built for information that cannot leak<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px; color: #ffffff;\">\r\n    Our mission is to secure human work alongside AI.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Download Ameeba\r\n    <\/a>\r\n\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Learn More\r\n    <\/a>\r\n  <\/div>\r\n<\/div><\/div>\n<p>Product | Affected Versions<\/p>\n<p><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3671-critical-local-file-inclusion-vulnerability-in-wpgym-wordpress-gym-management-system-plugin\/\"  data-wpil-monitor-id=\"80516\">WordPress Download Manager<\/a> | Versions up to and including 3.3.12<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-44755-critical-sql-injection-vulnerability-in-sacco-management-system-v1-0\/\"  data-wpil-monitor-id=\"39633\">vulnerability lies in the savePackage function of the Download Manager<\/a> plugin, which does not properly validate file paths. With this, an attacker with author-level access can craft a request to the server to delete <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-43958-arbitrary-file-upload-vulnerability-in-hospital-management-system-v4-0\/\"  data-wpil-monitor-id=\"39669\">arbitrary files<\/a>. If the attacker chooses to delete a critical file, like wp-config.php, it can lead to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-28039-pre-auth-remote-command-execution-vulnerability-in-totolink-ex1200t\/\"  data-wpil-monitor-id=\"39540\">remote code execution<\/a>, thus compromising the system.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-743752442\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here&#8217;s a conceptual example of how an <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3200-unauthenticated-remote-attacker-exploiting-insecure-tls-protocols\/\"  data-wpil-monitor-id=\"40821\">attacker might exploit<\/a> this vulnerability. It&#8217;s an HTTP request that instructs the server to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3065-arbitrary-file-deletion-vulnerability-in-database-toolset-plugin\/\"  data-wpil-monitor-id=\"40229\">delete a specific file<\/a>:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-admin\/admin-ajax.php?action=wpdm_save_package HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/x-www-form-urlencoded\n_ID=1&amp;__wpdmfile[files][]=..\/..\/..\/..\/wp-config.php<\/code><\/pre>\n<p>In the above example, the attacker is instructing the server to delete the wp-config.php file, which is a crucial <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3914-potential-arbitrary-file-uploads-and-system-compromise-in-aeropage-sync-for-airtable-wordpress-plugin\/\"  data-wpil-monitor-id=\"40562\">file in a WordPress<\/a> installation. Deleting this can <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32857-sql-injection-vulnerability-in-telecontrol-server-basic-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"39902\">lead to a system<\/a> compromise.<\/p>\n<p><strong>Mitigation Guidance<\/strong><\/p>\n<p>Users of the WordPress <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3616-arbitrary-file-upload-vulnerability-in-greenshift-wordpress-plugin\/\"  data-wpil-monitor-id=\"39901\">Download Manager<\/a> plugin should immediately apply the vendor patch to fix this vulnerability. If a patch cannot be applied immediately, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used as temporary mitigation. These systems can be <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3101-privilege-escalation-vulnerability-in-configurator-theme-core-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"40306\">configured to block requests that attempt to exploit this vulnerability<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-3404 is a critical vulnerability in the Download Manager plugin for WordPress, affecting all versions up to and including 3.3.12. This vulnerability can lead to arbitrary file deletion, potentially rendering a website non-functional or even allowing an attacker to execute remote code. This advisory outlines the specifics of the vulnerability, who it affects, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-33857","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/33857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=33857"}],"version-history":[{"count":9,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/33857\/revisions"}],"predecessor-version":[{"id":72939,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/33857\/revisions\/72939"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=33857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=33857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=33857"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=33857"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=33857"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=33857"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=33857"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=33857"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=33857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}