2025-11-18 08:27:37
Wordfence
PUBLISHED
The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the wp_ajax_save_settings AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations.