Description
The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations.
Published: 2025-11-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation (Configuration Modification)
Action: Update Plugin
AI Analysis

Impact

The Download Panel WordPress plugin contains a missing capability check in its AJAX handler, the dlpn_save_settings() function. This flaw allows any authenticated user with at least Subscriber-level access to invoke the wp_ajax_save_settings action and arbitrarily alter plugin settings, such as display text, download links, and button appearance. The vulnerability is a classic example of CWE‑862, a missing authorization weakness, and while it does not permit code execution, it can be used to deface a site or redirect users.

Affected Systems

The flaw exists in all releases of the Download Panel plugin up to and including version 1.3.3. The plugin is distributed by arkadiykilesso (Biggiko Team) and is commonly installed on WordPress sites that require a download panel feature. Any site running one of the affected versions is susceptible; newer releases beyond 1.3.3 have corrected the oversight.

Risk and Exploitability

The vulnerability scores a moderate CVSS of 4.3, with an EPSS below 1%, indicating a low exploitation probability at the time of analysis. It is not listed in CISA's KEV catalog. Because the attack vector requires authentication, an attacker only needs to be logged into the WordPress instance with Subscriber or higher privileges. Once authenticated, the attacker can send a crafted AJAX request to the vulnerable endpoint and manipulate the plugin’s configuration without further escalation.

Generated by OpenCVE AI on April 21, 2026 at 18:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Panel plugin to version 1.3.4 or later, which includes an authorization check for the wp_ajax_save_settings endpoint.
  • If an upgrade is not immediately possible, modify the dlpn_save_settings() function or add a hook to require the current user to have the 'manage_options' capability before applying changes.
  • After applying the fix, audit the plugin’s configuration values to ensure no unauthorized alterations remain and consider disabling the plugin on production sites until the patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations.
Title Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:58.791Z

Reserved: 2025-11-10T16:50:04.836Z

Link: CVE-2025-12961

cve-icon Vulnrichment

Updated: 2025-11-18T21:06:33.317Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:49.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses