CVE-2024-9829: 
WordPress vulnerability analysis and mitigation

The Download Plugin for WordPress (versions up to 2.2.0) contains a vulnerability due to missing capability checks in the 'dpwaphandledownloaduser' and 'dpwaphandledownloadcomment' functions. The vulnerability was discovered and disclosed on October 23, 2024, and is tracked as CVE-2024-9829 (NVD).

The vulnerability stems from insufficient authorization checks in two key functions: 'dpwaphandledownloaduser' and 'dpwaphandledownloadcomment'. This security flaw has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to download any comment and access user metadata. The exposed data can include sensitive information such as usernames, email addresses, hashed passwords, application passwords, session token information, and potentially more depending on the WordPress installation's configuration and installed plugins (NVD).

A patch has been released to address this vulnerability. Users should upgrade to version 2.2.1 or later of the Download Plugin to mitigate this security issue (WordPress Plugin).