CVE-2025-12961

Name of the Vulnerable Software and Affected Versions Download Panel plugin for WordPress versions up to and including 1.3.3

Description The Download Panel plugin for WordPress is susceptible to unauthorized settings modification. This is caused by a missing capability check on the 'wp ajax save settings' AJAX action. Specifically, the dlpn save settings() function lacks capability verification, allowing authenticated attackers with Subscriber-level access or higher to modify plugin settings. These settings include display text, download links, button colors, and other visual customizations.

Recommendations Update the Download Panel plugin to a version later than 1.3.3.