The duplicate() method, hooked to the admin_init action did not have any CSRF and authorisation checks, allowing unauthorised users (such as unauthenticated ones) to duplicate arbitrary downloads
As an unauthenticated or authenticated user, open the following URL to duplicate the Download with id 717 https://example.com/wp-admin/admin-post.php?wpdm_duplicate=717
Yes
2021-04-17 (about 1 years ago)
2021-04-17 (about 1 years ago)
2021-04-17 (about 1 years ago)