SQL Injection Vulnerability in Download Monitor by WP Chill
CVE-2026-39486

7.6HIGH

Key Information:

Vendor: WordPress
Status: Download Monitor
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39486?

The Download Monitor plugin from WP Chill is susceptible to a Blind SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw enables attackers to manipulate database queries, potentially allowing unauthorized access to sensitive information. The issue affects versions of Download Monitor up to and including 5.1.8, and highlights the importance of securing database interactions to prevent exploitation in WordPress environments.

Affected Version(s)

Download Monitor 0 <= 5.1.8

References

https://patchstack.com/database/Wordpress/Plugin/download...

vdb-entry

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

daroo | Patchstack Bug Bounty Program

CVE-2026-39486 Data

JSON