Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.

N/A

关键资源的不正确权限授予

WordPress plugin Download Plugin 跨站请求伪造漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Download Plugin 存在跨站请求伪造漏洞，该漏洞源于 dpwap_plugin_activate AJAX 操作没有跨站请求伪造（CSRF）检查，允许任何经过身份验证的用户（例如订阅者）激活已安装的插件。

N/A

N/A