RSS   Vulnerabilities for 'Download monitor'   RSS

2022-07-17
 
CVE-2022-2222

CWE-552
 

 
The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

 
2022-01-28
 
CVE-2021-23174

CWE-79
 

 
Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].

 
 
CVE-2021-31567

CWE-200
 

 
Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It's also possible to escape from the web server home directory and download any file within the OS.

 
2022-01-14
 
CVE-2021-36920

CWE-79
 

 
Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6).

 
2022-01-03
 
CVE-2021-24786

CWE-89
 

 
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

 

 >>> Vendor: Wpchill 4 Products
Download monitor
Check \& log email
Remove footer credit
Kb support


Copyright 2024, cxsecurity.com

 

Back to Top