Simple Download Monitor < 3.9.9 - Multiple CSRF
CVE-2021-24696

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Simple Download Monitor
Vendor: CVE Published:; 24 January 2022

Summary

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

Affected Version(s)

Simple Download Monitor 3.9.9

References

https://wpscan.com/vulnerability/e94772af-39ac-4743-a556-...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

apple502j