The plugin does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action.
https://example.com/wp-admin/admin-ajax.php?action=ddlay_restore_defaults
CPE | Name | Operator | Version |
---|---|---|---|
files-download-delay | lt | 1.0.7 |