CVE-2026-24541

Vulnerability

Overview The Download After Email plugin for WordPress (versions n/a through 2.1.9) contains a Missing Authorization vulnerability [1]. This broken access control issue arises from an incorrectly configured access control security level, meaning the plugin fails to properly check user permissions or nonce tokens in certain functions [1].

Exploitation and

Attack Surface An unprivileged user can exploit this vulnerability to execute higher privileged actions, as there is a missing authorization or authentication check [1]. The attack does not require any authentication bypass beyond the missing check itself, and the vulnerability is considered to have low severity, making exploitation unlikely according to the advisory [1]. However, such flaws are noted to be used in mass-exploit campaigns against thousands of websites [1].

Impact and

Remediation If exploited, an attacker could gain unauthorized access to features or data that should be restricted to higher-privileged users [1]. The immediate mitigation is to update to version 2.1.10 or later, which resolves the issue [1]. For sites unable to update immediately, users are advised to contact their hosting provider or web developer for assistance [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].