Unauthorized Modification of Data in Download Monitor Plugin for WordPress Allows Attackers to Access Site Users' Data
CVE-2024-10399

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Download Monitor
Vendor: CVE Published:; 30 October 2024

Summary

The Download Monitor plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check in the ajax_search_users function. This vulnerability affects all versions up to and including 5.0.13. Authenticated attackers with Subscriber-level access and above can exploit this flaw, allowing them to retrieve sensitive information such as usernames and email addresses of site users. Site administrators should prioritize updating the plugin to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Download Monitor * <= 5.0.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/download-monit...

https://plugins.trac.wordpress.org/changeset/3178099/down...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 25, 2024

Credit

Trương Hữu Phúc (truonghuuphuc)