Download Plugin
Approved changes feed: RSS · Atom
cpe:2.3:a:metagauss:download_plugin:*:*:*:*:*:wordpress:*:*
part: a version: * update: *
| Vendor | Metagauss (efd32a3a-6f1a-5c0a-ba62-c7bf604b79bd) |
|---|---|
| Product | Download Plugin (0ab80cf8-0148-5ad6-a7aa-931ca9b82a26) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | wordpress |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/wpplugins/download-plugin |
purl2cpe | 2026-06-01 10:17:44.201960 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-6586 |
vulnerable | 2026-06-08 07:43:15.509630 |
Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload
HIGH (7.2)
The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-04T01:44:03.464Z
Updated: 2026-04-16T13:47:19.725Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9829 |
vulnerable | 2026-06-08 07:00:28.744518 |
Download Plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download
MEDIUM (6.5)
The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.
Published: 2024-10-23T05:35:06.432Z
Updated: 2026-04-08T17:28:43.433Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-36345 |
vulnerable | 2026-06-08 05:46:07.026321 |
WordPress Download Plugin Plugin <= 2.0.4 is vulnerable to Cross Site Request Forgery (CSRF)
MEDIUM (4.3)
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions.
Published: 2023-05-28T19:05:18.155Z
Updated: 2026-04-28T16:07:45.407Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-25059 |
vulnerable | 2026-06-08 05:30:39.882747 |
Download Plugin < 2.0.0 - Subscriber+ Website Download
The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
Published: 2022-11-28T13:47:09.324Z
Updated: 2025-04-25T15:03:10.128Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-24703 |
vulnerable | 2026-06-08 05:30:39.045651 |
Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
Published: 2021-11-23T19:16:07.000Z
Updated: 2024-08-03T19:42:16.132Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.