Plugin vulnerability CVE-2026-24541

  • robpomeroy

    (@robpomeroy)


    3 months, 4 weeks ago

    WordFence has issued the following report:

    The Download After Email plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

    Download After Email <= 2.1.9 – Missing Authorization

    Is an update underway? I have disabled the plugin for the time being.

    Many thanks!

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Author mkscripts

    (@mkscripts)

    2 months, 2 weeks ago

    Thank you for your concern and for bringing this to our attention. We are aware of the recent report regarding the potential for downloading arbitrary files. According to Patchstack, this issue is considered low priority and does not pose a significant security threat in real-world scenarios.

    The reason for this is twofold:

    1. The vulnerability relies on an attacker being able to guess exact filenames (uploads folder), which is highly unlikely in most environments.
    2. Our plugin uses robust rate limiting, making automated or brute-force attacks impractical.

    It is also important to note that the reported issue only affects files within the WordPress uploads directory (including dae-uploads and other subfolders). There is no risk of accessing files outside of uploads, such as core WordPress files or sensitive server files.

    We take security seriously and are actively working on a security patch that will add strict validation to ensure that only files intentionally published for download can actually be accessed. We expect to release this update next week.

    Thank you for your vigilance and for helping us keep the plugin secure for everyone.

    Kind regards,
    Team Download After Email

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.