CVE-2025-6586

Name of the Vulnerable Software and Affected Versions: Download Plugin versions up to, and including, 2.2.8

Description: The issue is related to missing file type validation in the dpwap plugin locInstall function, allowing authenticated attackers with Administrator-level access and above to upload arbitrary files on the affected site's server. This could potentially make remote code execution possible.

Recommendations: For versions up to, and including, 2.2.8, consider disabling the dpwap plugin locInstall function until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin's file upload functionality to minimize the risk of exploitation. Avoid using the Download Plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.