The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
CPE | Name | Operator | Version |
---|---|---|---|
download_plugin | lt | 1.6.1 |