What the vulnerability does
01Description
Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through <= 2.1.9.
Explanation of Vulnerability in Simple Terms
02Summary
Download After Email contains a missing authorization flaw that allows authenticated users to access sensitive information they should not be able to view. An attacker with a low-privilege account can read data intended for other users without additional interaction. The vulnerability affects versions up to 2.1.9 and exposes confidential information stored within the plugin.
What an attacker can do
03Attacker Capabilities
Read sensitive data belonging to other users by making direct requests to the plugin.
Potential impact on your site
04Site Impact
User data and confidential information may be exposed to other authenticated users on your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; no user interaction required.
Key dates
06Disclosure timeline
January 23, 2026
CVE published
April 28, 2026
Record updated