Vulnerabilities and security researches fordownload-plugin download-plugin

Jun 07, 2024

CVE, Research URL: CVE-2021-25059
Home page URL: Security reports for Download Plugin
Application: Download Plugin
Date: Nov 28, 2022
Research Description: The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-36345
Home page URL: Security reports for Download Plugin
Application: Download Plugin
Date: May 29, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2021-24703
Home page URL: Security reports for Download Plugin
Application: Download Plugin
Date: Nov 24, 2021
Research Description: The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
Affected versions: Min -, max -.
Status: vulnerable

Oct 24, 2024

CVE, Research URL: CVE-2024-9829
Home page URL: Security reports for Download Plugin
Application: Download Plugin
Date: Oct 23, 2024
Research Description: The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.
Affected versions: Min -, max -.
Status: vulnerable

Jul 05, 2025

CVE, Research URL: CVE-2025-6586
Home page URL: Security reports for Download Plugin
Application: Download Plugin
Date: Jul 04, 2025
Research Description: The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable