WP-Safety

Download Plugin Security & Risk Analysis

wordpress.org/plugins/download-plugin

Download any plugin from your WordPress admin panel's Plugins page by just one click! Now, download themes, users, blog posts, pages, custom post …

50K active installs v2.4.0 PHP 5.6+ WP 4.8+ Updated Mar 6, 2026
downloaddownload-plugindownload-plugin-zipplugin-zipplugins
94
A · Safe
CVEs total5
Unpatched0
Last CVEJul 3, 2025
Plugin page Download
Safety Verdict

Is Download Plugin Safe to Use in 2026?

Generally Safe

Score 94/100

Download Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

5 known CVEsLast CVE: Jul 3, 2025Updated 2mo ago
Risk Assessment

The 'download-plugin' v2.4.0 exhibits a mixed security posture. While it demonstrates strengths in SQL query handling with 100% prepared statements and a high rate of output escaping (80%), concerns arise from its attack surface. The presence of one unprotected AJAX handler is a significant risk, as it could be exploited by unauthenticated users. The use of the `unserialize` function is also a red flag, potentially leading to Remote Code Execution if not handled with extreme care and sanitization of its input, which is not explicitly detailed as safe in the provided data. Taint analysis shows no critical or high severity flows, which is a positive sign. However, the plugin's historical vulnerability record is concerning. With five known CVEs, including one high-severity vulnerability, and a recent vulnerability in 2025, it suggests a pattern of security weaknesses that require diligent patching and potentially a more robust development process. The common vulnerability types also point to recurring issues like missing authorization and CSRF, which are critical for secure web applications.

Key Concerns

  • AJAX handler without auth check
  • Dangerous function: unserialize
  • One high severity historical CVE
  • Flow with unsanitized path
  • Output escaping rate below 100%
Vulnerabilities
5 published

Download Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-6586high · 7.2Unrestricted Upload of File with Dangerous Type

Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload

Jul 3, 2025 Patched in 2.2.9 (159d)
CVE-2024-9829medium · 6.5Missing Authorization

Download Plugin <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) User Metadata and Comment Download

Oct 22, 2024 Patched in 2.2.1 (1d)
CVE-2022-36345medium · 4.3Cross-Site Request Forgery (CSRF)

Download Plugin <= 2.0.4 - Cross-Site Request Forgery

May 24, 2023 Patched in 2.0.5 (244d)
CVE-2021-25059medium · 6.5Authorization Bypass Through User-Controlled Key

Download Plugin <= 1.6.2 - Missing Authorization and Sensitive Information Exposure

Nov 2, 2022 Patched in 2.0.0 (447d)
CVE-2021-24703medium · 5.7Cross-Site Request Forgery (CSRF)

Download Plugin < 1.6.1 - Cross-Site Request Forgery

Oct 19, 2021 Patched in 1.6.1 (826d)
Version History

Download Plugin Release Timeline

v2.4.0Current
v2.3.1
v2.3.0
v2.2.9
v2.2.81 CVE
CVE-2025-6586
v2.2.71 CVE
CVE-2025-6586
v2.2.61 CVE
CVE-2025-6586
v2.2.51 CVE
CVE-2025-6586
v2.2.41 CVE
CVE-2025-6586
v2.2.31 CVE
CVE-2025-6586
v2.2.21 CVE
CVE-2025-6586
v2.2.11 CVE
CVE-2025-6586
v2.2.02 CVEs
CVE-2025-6586 CVE-2024-9829
v2.1.02 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.92 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.82 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.72 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.62 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.52 CVEs
CVE-2025-6586 CVE-2024-9829
v2.0.43 CVEs
CVE-2022-36345 CVE-2025-6586 CVE-2024-9829
Code Analysis
Analyzed Mar 16, 2026

Download Plugin Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
19
77 escaped
Nonce Checks
11
Capability Checks
25
File Operations
25
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$response = unserialize( $response[1] );app\Plugins\Dpwapuploader.php:182

Output Escaping

80% escaped96 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
dpwap_plugin_all_activate (app\Plugins\Dpwapuploader.php:81)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Download Plugin Attack Surface

Entry Points5
Unprotected1

AJAX Handlers 5

authwp_ajax_dpwap_dismiss_eventprime_promotionapp\Main.php:26
authwp_ajax_dpwap_dismiss_notice_actionapp\Main.php:39
authwp_ajax_dpwap_customize_pluginapp\Main.php:41
authwp_ajax_dpwap_plugin_download_urlapp\Plugins\Base.php:44
authwp_ajax_dpwap_plugin_activateapp\Plugins\Base.php:50
WordPress Hooks 28
actionadmin_enqueue_scriptsapp\Main.php:22
actionadmin_noticesapp\Main.php:25
actionadmin_initapp\Main.php:37
actionadmin_menuapp\Main.php:38
actionadmin_footerapp\Main.php:40
actioninitapp\Plugins\Base.php:26
actionadmin_menuapp\Plugins\Base.php:28
actionadmin_enqueue_scriptsapp\Plugins\Base.php:30
filterbulk_actions-pluginsapp\Plugins\Base.php:36
actionadmin_headapp\Plugins\Base.php:38
actionadmin_footerapp\Plugins\Base.php:42
actionadmin_noticesapp\Plugins\Base.php:46
actionnetwork_admin_noticesapp\Plugins\Base.php:48
actionadmin_enqueue_scriptsapp\Themes\Base.php:13
actionadmin_initapp\Themes\Base.php:14
actionplugins_loadeddownload-plugin.php:49
filterpost_row_actionsdownload-plugin.php:110
filterpage_row_actionsdownload-plugin.php:111
actionadmin_initdownload-plugin.php:147
actionadmin_initdownload-plugin.php:148
actionadmin_initdownload-plugin.php:268
actionadmin_initdownload-plugin.php:283
filtercomment_row_actionsdownload-plugin.php:303
filteruser_row_actionsdownload-plugin.php:320
filterbulk_actions-edit-commentsdownload-plugin.php:327
filterhandle_bulk_actions-edit-commentsdownload-plugin.php:336
filterbulk_actions-usersdownload-plugin.php:343
filterhandle_bulk_actions-usersdownload-plugin.php:352
Maintenance & Trust

Download Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 6, 2026
PHP min version5.6
Downloads949K

Community Trust

Rating88/100
Number of ratings22
Active installs50K
Alternatives

Download Plugin Alternatives

File Manager Pro – Filester

File Manager Pro – Filester

filester

A
91

Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.

100K 9 CVEs
Download Plugins and Themes in ZIP from Dashboard

Download Plugins and Themes in ZIP from Dashboard

download-plugins-dashboard

A
95

Download installed plugins and themes in ZIP files directly from your WordPress admin dashboard, download any or all plugins & themes without FTP &hellip;

30K 5 CVEs
KP Zip Downloader

KP Zip Downloader

kp-zip-downloader

A
100

This plugin allows administrators to download installed plugins and themes as ZIP files directly from the WordPress dashboard.

3K No CVEs
Quick Download – Themes and Plugins from WP Dashboard

Quick Download – Themes and Plugins from WP Dashboard

quick-download

A
92

Download Themes and Pluigns directly from WordPress Dashboard.

40 No CVEs
Download Theme | Plugin | WC products zip from dashboard

Download Theme | Plugin | WC products zip from dashboard

woocommerce-downlaod-product-from-admin

A
92

download themes | plugins and products from dashboard as Zip file

40 No CVEs
Developer Profile

Download Plugin Developer Profile

Metagauss

7 plugins · 79K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
231 days
View full developer profile
Detection Fingerprints

How We Detect Download Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Script Paths
/wp-content/plugins/download-plugin/vendor/autoload.php

HTML / DOM Fingerprints

Data Attributes
dpwap_downloaddpwap_bulk_download
FAQ

Frequently Asked Questions about Download Plugin