Does Secure Downloads have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Secure Downloads compatible with WordPress 6.9.4?

According to WordPress.org data, Secure Downloads 1.2.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Secure Downloads compatible with PHP 5.2.4+?

Secure Downloads requires PHP 5.2.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Secure Downloads updated?

Secure Downloads was last updated on Dec 3, 2025. Frequent updates are generally a positive security signal.

What is Secure Downloads's security score?

Secure Downloads has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Secure Downloads Security & Risk Analysis

wordpress.org/plugins/secure-downloads

Easy generate and distribute secure links for file downloads, that can expire, and track every download.

700 active installs v1.2.5 PHP 5.2.4+ WP 4.0+ Updated Dec 3, 2025

digital-downloadsdownloadsfile-downloadslinksprotected-links

A · Safe

CVEs total1

Unpatched0

Last CVESep 3, 2024

Plugin page Download

Safety Verdict

Is Secure Downloads Safe to Use in 2026?

Generally Safe

Score 99/100

Secure Downloads has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Sep 3, 2024Updated 5mo ago

Risk Assessment

The "secure-downloads" plugin v1.2.5 exhibits a mixed security posture. On the positive side, the plugin boasts a completely clean attack surface with no AJAX handlers, REST API routes, shortcodes, or cron events exposed without proper authentication or permission checks. The high percentage of SQL queries using prepared statements and the presence of nonce and capability checks are also good security indicators.

However, significant concerns arise from the static analysis. The presence of the `unserialize()` function is a critical red flag, as it can lead to Remote Code Execution (RCE) vulnerabilities if untrusted data is passed to it. Furthermore, the taint analysis reveals that all 13 analyzed flows involve unsanitized paths, and while currently not classified as critical or high severity, this pattern, coupled with 13 file operations, strongly suggests a potential for path traversal vulnerabilities. The vulnerability history, which includes a medium-severity "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" vulnerability discovered recently, reinforces this concern.

In conclusion, while the plugin demonstrates strengths in its controlled entry points and use of prepared statements, the reliance on `unserialize()` and the pervasive unsanitized path flows, validated by past vulnerabilities, represent a substantial risk. Users should exercise extreme caution, and further investigation into how `unserialize()` is used and how input is handled for file operations is strongly recommended.

Key Concerns

Unsanitized path flows detected
Use of unserialize() detected
Medium severity path traversal vulnerability history
Significant number of file operations
Output escaping not fully implemented

Vulnerabilities

1 published

Secure Downloads Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-8031medium · 4.9Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Secure Downloads <= 1.2.2 - Authenticated (Admin+) Arbitrary File Download

Sep 3, 2024 Patched in 1.2.3 (10d)

Version History

Secure Downloads Release Timeline

v1.2.5Current

v1.2.4

v1.2.21 CVE

v1.2.11 CVE

v1.21 CVE

v1.1.51 CVE

v1.1.41 CVE

v1.1.31 CVE

v1.1.21 CVE

v1.1.11 CVE

v1.11 CVE

v1.01 CVE

Code Analysis

Analyzed Mar 16, 2026

Secure Downloads Code Analysis

Dangerous Functions

Raw SQL Queries

10 prepared

Unescaped Output

333

454 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn unserialize( strtolower( serialize( $array ) ) );core\opsd-functions.php:346

SQL Query Safety

91% prepared11 total queries

Output Escaping

58% escaped787 total outputs

Data Flows · Security

13 unsanitized

Data Flow Analysis

13 flows13 with unsanitized paths

content (core\admin\exmpl-page-with-toolbars-listing.php:56)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Secure Downloads Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 58

actionopsd_after_settings_contentcore\admin\api-settings.php:37

filteropsd_settings_validate_fields_before_savingcore\admin\api-settings.php:950

actionopsd_menu_createdcore\admin\exmpl-page-settings.php:200

actionopsd_menu_createdcore\admin\exmpl-page-with-toolbars-listing.php:105

actionopsd_menu_createdcore\admin\page-email-download_notification.php:900

filteropsd_email_api_is_allow_send_copycore\admin\page-email-download_notification.php:936

actionopsd_menu_createdcore\admin\page-email-link-user.php:893

filteropsd_email_api_is_allow_send_copycore\admin\page-email-link-user.php:944

actionopsd_menu_createdcore\admin\page-files-add.php:305

actionopsd_menu_createdcore\admin\page-files-sortable.php:490

actionopsd_menu_createdcore\admin\page-send.php:813

actionopsd_menu_createdcore\admin\page-settings.php:296

filterupgrader_post_installcore\any\activation.php:46

filterplugin_action_linkscore\any\activation.php:49

filterplugin_row_metacore\any\activation.php:51

actionplugins_loadedcore\any\activation.php:185

filterphpmailer_initcore\any\api-emails.php:39

actionwp_mail_failedcore\any\api-emails.php:41

actionadmin_menucore\any\class-admin-menu.php:69

actionadmin_menucore\any\class-admin-menu.php:71

actionopsd_define_nav_tabscore\any\class-admin-page-structure.php:38

actionopsd_page_structure_showcore\any\class-admin-page-structure.php:40

actionopsd_after_settings_contentcore\any\class-admin-settings-api.php:101

actionadmin_enqueue_scriptscore\any\class-css-js.php:20

actionwp_enqueue_scriptscore\any\class-css-js.php:21

actionopsd_load_js_on_admin_pagecore\any\class-css-js.php:23

actionopsd_load_css_on_admin_pagecore\any\class-css-js.php:24

actionopsd_enqueue_js_filescore\any\opsd-class-dismiss.php:61

actionopsd_enqueue_css_filescore\any\opsd-class-dismiss.php:62

actionopsd_hook_opsd_page_headercore\any\opsd-class-notices.php:22

actionopsd_settings_after_headercore\any\opsd-class-notices.php:23

filterlocalecore\opsd-ajax.php:57

actionadmin_initcore\opsd-ajax.php:130

actiontemplate_redirectcore\opsd-download.php:1278

filteropsd_email_api_get_subject_beforecore\opsd-emails.php:185

filteropsd_email_api_get_content_beforecore\opsd-emails.php:210

filteropsd_email_api_get_content_aftercore\opsd-emails.php:226

filteropsd_email_api_get_headers_aftercore\opsd-emails.php:270

filteropsd_email_api_is_allow_sendcore\opsd-emails.php:287

filteropsd_email_api_is_allow_send_copycore\opsd-emails.php:288

actionopsd_email_sending_errorcore\opsd-emails.php:325

actionadmin_bar_menucore\opsd-functions.php:915

filteropsd_send_secure_download_email_to_user_filtercore\opsd-functions.php:1941

actionopsd_send_secure_download_email_to_usercore\opsd-functions.php:1944

filteropsd_is_load_script_on_this_pagecore\opsd-js.php:291

filterload_textdomain_mofilecore\opsd-translation.php:184

filterplugin_localecore\opsd-translation.php:227

filterupload_dircore\opsd-upload.php:56

actionadmin_footercore\opsd-upload.php:58

filterattachment_fields_to_editcore\opsd-upload.php:610

actionedit_attachmentcore\opsd-upload.php:624

filterwp_prepare_attachment_for_jscore\opsd-upload.php:650

action_admin_menucore\opsd.php:72

actionadmin_footercore\opsd.php:74

actionwp_enqueue_scriptscore\opsd.php:80

actionwp_enqueue_scriptscore\opsd.php:81

actionwp_footercore\opsd.php:82

actionadmin_noticescore\opsd.php:342

Maintenance & Trust

Secure Downloads Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 3, 2025

PHP min version5.2.4

Downloads31K

Community Trust

Rating82/100

Number of ratings10

Active installs700

Alternatives

Secure Downloads Alternatives

Drive Downloads Lite

drive-downloads-lite

100

Connect WooCommerce downloads to Google Drive and insert shared folders or files as download URLs directly from the product editor.

0 No CVEs

Easy Media Download

easy-media-download

Easy Media Download allows you to embed download buttons on your WordPress site. Add file download functionality with this WordPress download plugin.

9K 3 CVEs

Bulk Edit Posts and Products in Spreadsheet

wp-sheet-editor-bulk-spreadsheet-editor-for-posts-and-pages

100

Modern Bulk Editor for Posts and Pages, create and edit hundreds of posts at once in a spreadsheet inside wp-admin. Search and quick edits.

9K No CVEs

Premium Packages – Sell Digital Products Securely

wpdm-premium-packages

Premium Packages is a free, full-featured WordPress eCommerce plugin to sell digital products easily and securely.

3K 9 CVEs

AffiliateWP – Affiliate Product Rates

affiliatewp-affiliate-product-rates

Allows you to set product referral rates on a per-affiliate level in AffiliateWP.

2K No CVEs

Developer Profile

Secure Downloads Developer Profile

wpdevelop

25 plugins · 59K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

427 days

View full developer profile

Detection Fingerprints

How We Detect Secure Downloads

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/secure-downloads/core/any/opsd-admin-menu.css/wp-content/plugins/secure-downloads/core/any/opsd-admin-menu.js/wp-content/plugins/secure-downloads/core/any/opsd-admin-page.css/wp-content/plugins/secure-downloads/core/any/opsd-admin-page.js/wp-content/plugins/secure-downloads/core/any/opsd-item.css/wp-content/plugins/secure-downloads/core/any/opsd-item.js/wp-content/plugins/secure-downloads/core/any/opsd-main.css/wp-content/plugins/secure-downloads/core/any/opsd-main.js

Script Paths

/wp-content/plugins/secure-downloads/core/any/opsd-admin-menu.js/wp-content/plugins/secure-downloads/core/any/opsd-admin-page.js/wp-content/plugins/secure-downloads/core/any/opsd-item.js/wp-content/plugins/secure-downloads/core/any/opsd-main.js

Version Parameters

secure-downloads/core/any/opsd-admin-menu.css?ver=secure-downloads/core/any/opsd-admin-menu.js?ver=secure-downloads/core/any/opsd-admin-page.css?ver=secure-downloads/core/any/opsd-admin-page.js?ver=secure-downloads/core/any/opsd-item.css?ver=secure-downloads/core/any/opsd-item.js?ver=secure-downloads/core/any/opsd-main.css?ver=secure-downloads/core/any/opsd-main.js?ver=

HTML / DOM Fingerprints

CSS Classes

opsd-admin-menuopsd-admin-pageopsd-item

HTML Comments

+3 more

Data Attributes

data-iddata-filedata-key

JS Globals

OPSD_JSopsd_data

FAQ

Secure Downloads Security & Risk Analysis

Is Secure Downloads Safe to Use in 2026?

Generally Safe

Key Concerns

Secure Downloads Security Vulnerabilities

CVEs by Year

Severity Breakdown

Secure Downloads Release Timeline

Secure Downloads Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Secure Downloads Attack Surface

Secure Downloads Maintenance & Trust

Maintenance Signals

Community Trust

Secure Downloads Alternatives

Drive Downloads Lite

Easy Media Download

Bulk Edit Posts and Products in Spreadsheet

Premium Packages – Sell Digital Products Securely

AffiliateWP – Affiliate Product Rates

Secure Downloads Developer Profile

How We Detect Secure Downloads

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Secure Downloads