WP-Safety
CVE-2026-24541

Download After Email <= 2.1.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.1.10
Patched in
82d
Time to patch

Description

The Download After Email plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.1.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.1.9
PublishedJanuary 24, 2026
Last updatedApril 15, 2026
Affected plugindownload-after-email

What Changed in the Fix

Changes introduced in v2.1.10

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.1.9
Browse source Download .zip
Patched v2.1.10
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-24541 - Missing Authorization in Download After Email ## Vulnerability Summary The **Download After Email** plugin (versions <= 2.1.9) contains a missing authorization vulnerability in its initialization logic. Specifically, the plugin handles administrative actions—such …

Show full research plan

Research Plan: CVE-2026-24541 - Missing Authorization in Download After Email

Vulnerability Summary

The Download After Email plugin (versions <= 2.1.9) contains a missing authorization vulnerability in its initialization logic. Specifically, the plugin handles administrative actions—such as duplicating "Download" posts—within functions hooked to init or admin_init without verifying the user's capabilities or checking for a valid security nonce. This allows unauthenticated attackers to trigger these actions by sending crafted HTTP requests, leading to unauthorized data modification (e.g., mass-creating duplicate posts).

Attack Vector Analysis

  • Endpoint: Any frontend or backend page that triggers the init hook (e.g., /, /wp-admin/admin-ajax.php).
  • HTTP Parameter: dae_duplicate (GET or POST).
  • Authentication: None required (Unauthenticated).
  • Preconditions: At least one dae_download post must exist in the database to be duplicated.

Code Flow

  1. Entry Point: The plugin registers a function dae_post_types_init to the init hook in includes/post-types.php.
  2. Hook Registration: add_action( 'init', 'dae_post_types_init' ); (Line 9, includes/post-types.php).
  3. Execution: When WordPress initializes, dae_post_types_init
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9852f61-6502-4e27-9de4-ff1a79accd71?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database