cleantalk
Vulnerabilities and Security Researches

Download Plugin, CVE-2024-9829

CVE, Research URL

CVE-2024-9829

Home page URL

Security reports for Download Plugin

Application

Download Plugin

Published on
Oct 23, 2024
Research Description
The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.
Affected versions
Min -, max 2.2.1.
Status
vulnerable
Previous vulnerability researches
Download Plugin (CVE-2024-9829) , Oct 24, 2024
Download Plugin (CVE-2021-25059) , Jun 07, 2024
Download Plugin (CVE-2022-36345) , Jun 07, 2024
Download Plugin (CVE-2021-24703) , Jun 07, 2024
Download Plugin (CVE-2025-6586) , Jul 05, 2025
New vulnerability
WP Compress – Image Optimizer [All-In-One] (CVE-2025-47479) , Jul 05, 2025
WP Shortcodes Plugin — Shortcodes Ultimate (CVE-2025-5567) , Jul 05, 2025
URL Shortener Plugin For WordPress (CVE-2025-28963) , Jul 05, 2025
WP Travel Gutenberg Blocks (CVE-2025-53207) , Jul 05, 2025
PayMaster for WooCommerce (CVE-2025-6729) , Jul 05, 2025