Skip to main content

Digital Download CVE-2026-32382

| EUVDEUVD-2026-11885 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11885
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in raratheme Digital Download digital-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Digital Download: from n/a through <= 1.1.4.

AnalysisAI

Improperly configured access controls in raratheme Digital Download through version 1.1.4 enable unauthenticated attackers to modify content without authorization. This missing authorization vulnerability allows remote attackers to alter data integrity in affected installations. No patch is currently available for this vulnerability.

Technical ContextAI

This vulnerability is classified under CWE-862 (Missing Authorization), which represents a failure to implement proper access control checks before permitting sensitive operations. The raratheme Digital Download plugin, a WordPress extension for managing digital product downloads, fails to enforce authorization controls at the application level when processing download-related requests. The affected technology involves WordPress's plugin architecture where custom endpoints or AJAX handlers may lack proper capability checks (such as is_user_logged_in() or current_user_can() in WordPress context), allowing unauthenticated or low-privileged users to perform administrative actions. The issue spans versions from an unspecified baseline through version 1.1.4, suggesting the vulnerability was introduced in an earlier version and persisted through the patched version threshold.

RemediationAI

Immediately upgrade the raratheme Digital Download plugin to a version higher than 1.1.4 once available from the vendor. Users should log into their WordPress dashboard, navigate to Plugins > Installed Plugins, locate Digital Download, and update to the patched version. If no patched version is immediately available, temporarily disable the plugin until an update is released, or restrict access to the WordPress administration area and download functionality to trusted IP ranges via web server configuration or WordPress security plugins. Additionally, implement WordPress security best practices including limiting direct access to plugin files via .htaccess rules and ensuring all users have appropriately restrictive role capabilities. Review access logs for any unauthorized download activity that may have occurred while the plugin was vulnerable.

Share

CVE-2026-32382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy