Hello Manja,
Hope you are well. If the issues are these,
vue 2.6.12 (currently 3.5.18)
bootstrap.js 3.3.4 (currently 5.3.7)
This is not a major issue. Here suggestting the tool/library used in our plugin is some old in version. So it is giving some warning. Otherwise nothing is problem with this. Please kindly check.
Thank you
It’s not just a warning. We failed the test because of these two outdated libraries in your plugin.
There is a security patch for it, right?
For bootstrap, we are not using bootstrap directly anymore in the latest version, please kindly clear your site cache. And for vue, next version update is coming with vue latest version with fix. Please kindly check.
Thank you and kind regards
Thanks for the clarification. Which fix will upgrade Vue to the latest version?
For the warning you are getting, the vue old version. Please kindly check and let me know if you have more queries.
Thank you and kind regards
Sorry I don’t understand your answer. I want to know in which update will you replace the old vue version? Can you give me an estimation?
Please kindly check if your issue has been resolved or not on the latest version. Please kindly check.
Thank you
I don’t know how to check which Vue version your plugin uses. I was hoping you would know? I would like to start the retest only once the issue has been fixed.
Please kindly check for the latest version if the issue again appearing. Please kindly check and let me know if the issue persists.
Thank you
I have checked the plugin files directly (version 3.3.24).
- The plugin includes Vue.js v2.6.12 (
/assets/js/vue.min.js).
- It also bundles Bootstrap (
/assets/adminui/js/bootstrap.min.js and bootstrap.bundle.min.js).
So, even though you mentioned that Bootstrap is not included, it is actually shipped inside the plugin package. Vue is also included, and the version is not the latest (Vue 2.7 is the most recent release in the 2.x branch).
It would be very helpful to know if there are plans to update these dependencies to more recent versions as we have to pass the OWASP PEN Test. Otherwise we have to replace your plugin to a more secure plugin.
Thanks
Manja
Does the arising warnings again appearing from your side which you have claimed? Please kindly check and let me know.
Thank you and regards
I have already provided the evidence directly from the plugin package (Vue.js v2.6.12 and Bootstrap are both included).
In fact, the plugin ships with two different versions of Bootstrap: v3.3.4 and v5.3.0-alpha1.
If there is no transparent confirmation or plan from the developer regarding outdated and inconsistent dependencies, I cannot rely on this plugin any longer and will look for alternatives.
Transparency about bundled libraries is essential for security.
Hello,
This is not a major issue, also if it is not showing the warnings. but you have gone to review section. However, We are checking the issue. I have already forwarded your issue to our related team authority. Please kindly check and let me know if you have any more queries.
Thank you and regards
Thank you for confirming that Vue.js will be updated and Bootstrap will be removed.
However, I need to ask very clearly:
What is the exact timeline for these updates?
- Vue.js (currently v2.6.12) must be updated to the latest secure version.
- Bootstrap (currently included as v3.3.4 and v5.3.0-alpha1) must be removed or replaced with a stable, supported version.
This is not only a feature request – we are running a penetration test, and the reported security issue must be resolved to continue using the plugin.
Without a clear timeframe, we have to consider replacing this plugin.
For reference, Patchstack has already published a vulnerability:
https://patchstack.com/database/wordpress/plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-24-sensitive-data-exposure-vulnerability?_s_id=cve
We shall release an update within next 48 hours.
Patchstack has not published or disclosed it yet. They discovered the issue on September 26, 2025, and will publish it 30 days after we fix it and release an update. This Patchstack post is simply an acknowledgment of the issue they identified.
