The Download Monitor plugin for WordPress suffers from an improper authorization vulnerability (CWE-285) in the dlm_uninstall_plugin function in all versions up to and including 4.9.13. This flaw allows authenticated users with low privileges to uninstall the plugin and remove its data because the function lacks a required capability check. The CVSS 3.1 base score is 5.4 (medium severity) with network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact.

An attacker with authenticated access but limited privileges can uninstall the Download Monitor plugin and delete its data, impacting the availability and integrity of the plugin's functionality and stored information. There is no impact on confidentiality. This could disrupt website operations relying on this plugin.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict plugin management capabilities to trusted users only to reduce risk. Monitor for updates from wpchill regarding a security patch addressing this authorization issue.