Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php.

Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.