CVE-2025-12961
The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the dlpn_save_settings() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations.
No affected software listed.
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime