Vulnerabilities (CVE)

Filtered by vendor Metagauss

Filtered by product Download Plugin

Total 5 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2025-6586	1 Metagauss	1 Download Plugin	2025-07-09	N/A	7.2 HIGH
The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2021-25059	1 Metagauss	1 Download Plugin	2025-04-25	N/A	4.3 MEDIUM
The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
CVE-2022-36345	1 Metagauss	1 Download Plugin	2024-11-21	N/A	4.3 MEDIUM
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions.
CVE-2021-24703	1 Metagauss	1 Download Plugin	2024-11-21	3.5 LOW	5.7 MEDIUM
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
CVE-2024-9829	1 Metagauss	1 Download Plugin	2024-10-25	N/A	6.5 MEDIUM
The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and applica ... Show More