Unauthorized Access to Sensitive Information via Bypass of Capability Check in Download Monitor Plugin
CVE-2022-4972
7.5HIGH
Key Information:
- Vendor
- WPchill
- Status
- Download Monitor
- Vendor
- CVE Published:
- 16 October 2024
Summary
The Download Monitor plugin for WordPress contains a vulnerability that permits unauthorized users to bypass authorization safeguards. This flaw arises from a missing capability check on several REST-API routes associated with reporting functions. As a result, attackers without authenticated access can exploit this vulnerability to view sensitive user data and information that should be reserved for administrators. This exposure poses a significant risk to website security and the confidentiality of sensitive information.
Affected Version(s)
Download Monitor * <= 4.7.51
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved