Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
CVE-2021-24703
5.7MEDIUM
What is CVE-2021-24703?
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
Affected Version(s)
Download Plugin 1.6.1