CVE-2025-12961
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | download_panel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Download Panel plugin for WordPress, where there is a missing capability check on the 'wp_ajax_save_settings' AJAX action. Because the function dlpn_save_settings() does not verify user capabilities, authenticated users with Subscriber-level access or higher can modify plugin settings without proper authorization. This includes changing display text, download links, button colors, and other visual customizations.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to arbitrarily modify the plugin's settings. This could lead to unauthorized changes in the website's appearance and functionality related to the Download Panel plugin, such as altering download links or visual elements, potentially misleading users or disrupting site operations.