CVE-2025-14399

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the downloadpluginbulk and downloadthemebulk functions. This makes it possibl...

EUVD-2025-35346

The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated...

EUVD-2021-11660

Malware in sbrugna...

EUVD-2008-1647

Malware in sbrugna...

EUVD-2025-19921

Malicious code in bioql PyPI...

EUVD-2022-39061

Malicious code in bioql PyPI...

CVE-2025-6586

The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwappluginlocInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to...

CVE-2025-6586

The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwappluginlocInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to...

CVE-2025-6586

The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwappluginlocInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to...

CVE-2025-6586

CVE-2025-6586 affects the WordPress Download Plugin (versions up to 2.2.8). The vulnerability arises from missing file-type validation in the dpwap_plugin_locInstall path, allowing an authenticated Administrator+ to upload arbitrary files via the multi-upload flow. The implementation moves upload...

CVE-2025-6586 Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload

The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwappluginlocInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to...

PT-2025-27848 · Unknown · Download Plugin

Name of the Vulnerable Software and Affected Versions: Download Plugin versions up to, and including, 2.2.8 Description: The issue is related to missing file type validation in the dpwap plugin locInstall function, allowing authenticated attackers with Administrator-level access and above to uplo...

WordPress plugin Download Plugin code issue vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability exists i...

WordPress Download Plugin plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin Download versions = 2.2.8...

CVE-2025-5034

The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...

PT-2025-26495

Name of the Vulnerable Software and Affected Versions: wp-file-download WordPress plugin versions prior to 6.2.6 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being outputted back in the...

VulnCheck KEV: CVE-2016-10924

The ebook-download plugin before 1.2 for WordPress has directory traversal...

CVE-2024-9829

The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwaphandledownloaduser' and 'dpwaphandledownloadcomment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, wit...

CVE-2022-36345

Cross-Site Request Forgery CSRF vulnerability in Metagauss Download Plugin = 2.0.4 versions...

CVE-2021-24748

The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues...