{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12961", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T16:50:04.836Z", "datePublished": "2025-11-18T08:27:37.109Z", "dateUpdated": "2026-04-08T17:28:58.791Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:58.791Z"}, "affected": [{"vendor": "arkadiykilesso", "product": "Download Panel (Biggiko Team)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations."}], "title": "Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1a1df7e-1a57-45b3-a4b3-cb3218782ad9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L51"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2025-11-17T20:15:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:06:07.949729Z", "id": "CVE-2025-12961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:06:36.835Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:06:07.949729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:06:33.317Z"}}], "cna": {"title": "Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "arkadiykilesso", "product": "Download Panel (Biggiko Team)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-17T20:15:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1a1df7e-1a57-45b3-a4b3-cb3218782ad9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L51"}], "descriptions": [{"lang": "en", "value": "The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:58.791Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12961", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:58.791Z", "dateReserved": "2025-11-10T16:50:04.836Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T08:27:37.109Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations."}], "id": "CVE-2025-12961", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T09:15:49.663", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L51"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1a1df7e-1a57-45b3-a4b3-cb3218782ad9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:16:34.424251+00:00", "value": {"mitigation_remediation": ["Upgrade the Download Panel plugin to version 1.3.4 or later, which includes an authorization check for the wp_ajax_save_settings endpoint.", "If an upgrade is not immediately possible, modify the dlpn_save_settings() function or add a hook to require the current user to have the 'manage_options' capability before applying changes.", "After applying the fix, audit the plugin\u2019s configuration values to ensure no unauthorized alterations remain and consider disabling the plugin on production sites until the patch is applied."], "summary": {"action": "Update Plugin", "impact": "Privilege Escalation (Configuration Modification)"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of the Download Panel plugin up to and including version 1.3.3. The plugin is distributed by arkadiykilesso (Biggiko Team) and is commonly installed on WordPress sites that require a download panel feature. Any site running one of the affected versions is susceptible; newer releases beyond 1.3.3 have corrected the oversight.", "description_and_impact": "The Download Panel WordPress plugin contains a missing capability check in its AJAX handler, the dlpn_save_settings() function. This flaw allows any authenticated user with at least Subscriber-level access to invoke the wp_ajax_save_settings action and arbitrarily alter plugin settings, such as display text, download links, and button appearance. The vulnerability is a classic example of CWE\u2011862, a missing authorization weakness, and while it does not permit code execution, it can be used to deface a site or redirect users.", "risk_and_exploitability": "The vulnerability scores a moderate CVSS of 4.3, with an EPSS below 1%, indicating a low exploitation probability at the time of analysis. It is not listed in CISA's KEV catalog. Because the attack vector requires authentication, an attacker only needs to be logged into the WordPress instance with Subscriber or higher privileges. Once authenticated, the attacker can send a crafted AJAX request to the vulnerable endpoint and manipulate the plugin\u2019s configuration without further escalation."}}}}, "created": "2025-11-18T14:15:48.120513+00:00", "updated": "2026-04-21T18:30:27.574570+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}