Lucene search

K
Simple Download Monitor ProjectSimple Download Monitor

6 matches found

CVE
CVE
added 2022/07/17 11:15 a.m.73 views

CVE-2022-2222

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

4.9CVSS4.9AI score0.00842EPSS
CVE
CVE
added 2022/03/14 3:15 p.m.68 views

CVE-2021-24692

The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

6.5CVSS6.4AI score0.00703EPSS
CVE
CVE
added 2022/10/10 9:15 p.m.53 views

CVE-2022-2981

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

4.9CVSS4.9AI score0.00289EPSS
CVE
CVE
added 2022/01/24 8:15 a.m.46 views

CVE-2021-24696

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image ...

8.8CVSS8.4AI score0.00109EPSS
CVE
CVE
added 2022/01/24 8:15 a.m.45 views

CVE-2021-24694

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

5.4CVSS5.2AI score0.0018EPSS
CVE
CVE
added 2022/01/03 1:15 p.m.34 views

CVE-2021-24786

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

7.2CVSS7.1AI score0.04568EPSS