The Simple Downloads List plugin for WordPress lacks a capability check on the wp_ajax_neofix_sdl_edit AJAX endpoint and several others, enabling authenticated users with Subscriber level or higher to alter plugin settings and downloads. By sending crafted requests, an attacker can inject malicious scripts that are stored and executed on the site, potentially leading to defacement, data tampering, or further compromise. This flaw is classified as missing authorization (CWE‑862).

Simple Downloads List plugin for WordPress, versions up to and including 1.4.3. Affected users are those logged in with Subscriber or higher roles; plugin administrators and higher privileged accounts are also able to exploit the endpoint. The vulnerability resides in the plugin’s backend admin panel and its AJAX handling code.

The CVSS score of 6.4 denotes moderate severity. The EPSS score of less than 1% indicates a very low probability of being exploited in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to be authenticated and to have at least Subscriber access, then to invoke the vulnerable AJAX endpoint from a browser or HTTP client. Successful exploitation permits unauthorized configuration changes and stored cross‑site scripting on the site. The combination of moderate impact and low exploitation likelihood suggests close monitoring but prioritizes remediation if the site’s audience includes vulnerable users.