Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-36345 | 1 Metagauss | 1 Download Plugin | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download PluginĀ <= 2.0.4 versions. | |||||
| CVE-2021-25059 | 1 Metagauss | 1 Download Plugin | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website. | |||||
| CVE-2021-24703 | 1 Metagauss | 1 Download Plugin | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. | |||||
| CVE-2024-9829 | 1 Metagauss | 1 Download Plugin | 2024-10-25 | N/A | 6.5 MEDIUM |
| The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed. | |||||