Cross-Site Request Forgery Vulnerability in Download Monitor Plugin for WordPress
CVE-2026-4401

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Download Monitor
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-4401?

The Download Monitor plugin for WordPress is susceptible to Cross-Site Request Forgery vulnerabilities in its actions_handler() and bulk_actions_handler() methods. This issue arises from inadequate nonce verification across all versions up to and including 5.1.10. Attackers can exploit this flaw to conduct unauthorized actions, such as deleting or modifying download paths, by tricking site administrators into inadvertently submitting malicious requests.

Affected Version(s)

Download Monitor 0 <= 5.1.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/download-monit...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Kirasec

CVE-2026-4401 Data

JSON