CVE-2025-12961 - Download Panel <= 1.3.3 - missing authorization to authenticated (subscriber+) a...

CVE ID : CVE-2025-12961 Published : Nov. 18, 2025, 8:27 a.m. | 26 minutes ago Description : The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...