Does Download Theme have any unpatched vulnerabilities?

No. All known vulnerabilities in Download Theme have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Download Theme compatible with WordPress 6.8.5?

According to WordPress.org data, Download Theme 1.1.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Download Theme updated?

Download Theme was last updated on Apr 23, 2025. Frequent updates are generally a positive security signal.

What is Download Theme's security score?

Download Theme has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Download Theme Security & Risk Analysis

wordpress.org/plugins/download-theme

Download any theme from your WordPress admin panel's Appearance page by just one click!

4K active installs v1.1.2 PHP + WP 3.0+ Updated Apr 23, 2025

download-themedownload-theme-zipthemetheme-zipthemes

A · Safe

CVEs total1

Unpatched0

Last CVEMay 24, 2023

Plugin page Download

Safety Verdict

Is Download Theme Safe to Use in 2026?

Generally Safe

Score 100/100

Download Theme has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 24, 2023Updated 11mo ago

Risk Assessment

The download-theme v1.1.2 plugin exhibits a generally positive security posture with several good practices in place. Notably, all SQL queries utilize prepared statements, and there are no reported critical or high severity vulnerabilities in its history. The static analysis also indicates a lack of dangerous functions and taint flows, which are positive signs. The presence of nonce and capability checks on most entry points further strengthens its security.

However, there is a notable concern arising from the static analysis: one of the three AJAX handlers lacks any authentication checks. This represents a direct attack vector that could be exploited by unauthenticated users. While the plugin has a history of a medium severity CSRF vulnerability, the current lack of authentication on an AJAX endpoint is a more immediate and direct risk that needs attention. The plugin's limited file operations and absence of external HTTP requests are also positive, but the single unprotected entry point is a significant weakness.

In conclusion, while the download-theme plugin demonstrates good fundamental security practices, the unprotected AJAX handler is a critical oversight. The plugin's past medium-severity CSRF vulnerability, though patched, also highlights a potential area of weakness that should be monitored. Addressing the unprotected AJAX endpoint should be the highest priority to mitigate immediate risks.

Key Concerns

AJAX handler without auth checks
Past medium severity vulnerability

Vulnerabilities

Download Theme Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-38062medium · 5.3Cross-Site Request Forgery (CSRF)

Download Theme <= 1.0.9 - Cross-Site Request Forgery via dtwap_download()

May 24, 2023 Patched in 1.1.0 (244d)

Code Analysis

Analyzed Mar 16, 2026

Download Theme Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

5 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

71% escaped7 total outputs

Data Flows

All sanitized

Data Flow Analysis

4 flows

dtwap_download (download-theme.php:82)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Download Theme Attack Surface

Entry Points3

Unprotected1

AJAX Handlers 3

authwp_ajax_dtwap_dismissible_noticedownload-theme.php:149

authwp_ajax_dt_send_inquiry_emaildownload-theme.php:151

authwp_ajax_dtwap_dismissible_notice_hidedownload-theme.php:300

WordPress Hooks 7

actionadmin_enqueue_scriptsdownload-theme.php:74

actionadmin_initdownload-theme.php:147

actionadmin_footerdownload-theme.php:148

actionadmin_noticesdownload-theme.php:150

actionadmin_footerdownload-theme.php:209

actionadmin_headdownload-theme.php:316

actionadmin_initdownload-theme.php:344

Maintenance & Trust

Download Theme Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 23, 2025

PHP min version

Downloads128K

Community Trust

Rating80/100

Number of ratings7

Active installs4K

Alternatives

Download Theme Alternatives

Child Theme Configurator

child-theme-configurator

100

When using the Customizer is not enough - Create a child theme from your installed themes and customize styles, templates, functions and more.

300K No CVEs

Hello Plus

hello-plus

100

Hello+ is a free WordPress plugin designed to work seamlessly with Elementor’s Hello suite of themes.

80K No CVEs

YITH WooCommerce Catalog Mode

yith-woocommerce-catalog-mode

YITH WooCommerce Catalog Mode, a plugin for disabling sales in your e-commerce and turn it into an e-commerce into an online catalogue.

60K 1 CVE

Themesflat Addons For Elementor

themesflat-addons-for-elementor

Themesflat Addons For Elementor plugin you install after Elementor!. Themesflat addon focuses on support for the author build Template Kits

50K 12 CVEs

aThemes Starter Sites

athemes-starter-sites

We've got a full and ever-growing library stocked with ready-made templates for any kind of business.

40K 1 CVE

Developer Profile

Download Theme Developer Profile

Metagauss

7 plugins · 79K total installs

trust score

Avg Security Score

90/100

Avg Patch Time

250 days

View full developer profile

Detection Fingerprints

How We Detect Download Theme

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/download-theme/js/dtwap-dismiss-script.js/wp-content/plugins/download-theme/css/dt-form.css/wp-content/plugins/download-theme/css/dtwap-admin.css/wp-content/plugins/download-theme/js/dtwap-admin.js/wp-content/plugins/download-theme/css/download-theme-popup.css/wp-content/plugins/download-theme/js/download-theme-popup.js

Script Paths

/wp-content/plugins/download-theme/js/dtwap-dismiss-script.js/wp-content/plugins/download-theme/js/dtwap-admin.js/wp-content/plugins/download-theme/js/download-theme-popup.js

Version Parameters

download-theme/js/dtwap-dismiss-script.js?ver=download-theme/css/dt-form.css?ver=download-theme/css/dtwap-admin.css?ver=download-theme/js/dtwap-admin.js?ver=download-theme/css/download-theme-popup.css?ver=download-theme/js/download-theme-popup.js?ver=

HTML / DOM Fingerprints

CSS Classes

dtwap-dismissibledtwap-notice-modaldtwap-notice-modal-contentdtwap-notice-modal-closedtwap-form-wrapdtwap-form-head-wrapdtwap-form-headingdtwap-form-subheading+2 more

Data Attributes

id="dtwap_dismissible_plugin"id="dtwap-noticeBtnhide7"id="dtwap-noticeBtnhide15"id="dtwap-noticeBtn"id="dtwap-noticeBtnhidenever"id="dtwap-notice-modal"+3 more

JS Globals

dtwap_objectdtwap

FAQ