Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for Download Monitor by Unknown
CVE-2022-2981 (GCVE-0-2022-2981)
Vulnerability from nvd – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:52
VLAI?
Title
Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
Summary
The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
Severity ?
No CVSS data available.
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.5.98 , < 4.5.98
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.98",
"status": "affected",
"version": "4.5.98",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad of Cloudyrion GmbH"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-10T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.5.98 - Admin+ Arbitrary File Download",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2981",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-08-24T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:52:59.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2222 (GCVE-0-2022-2222)
Vulnerability from nvd – Published: 2022-07-17 10:37 – Updated: 2024-08-03 00:32
VLAI?
Title
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
Summary
The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
Severity ?
No CVSS data available.
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.5.91 , < 4.5.91
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:08.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.91",
"status": "affected",
"version": "4.5.91",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thiago Martins"
},
{
"lang": "en",
"value": "Jorge Buzeti"
},
{
"lang": "en",
"value": "Leandro Inacio"
},
{
"lang": "en",
"value": "Lucas de Souza"
},
{
"lang": "en",
"value": "Matheus Oliveira"
},
{
"lang": "en",
"value": "Filipe Baptistella"
},
{
"lang": "en",
"value": "Leonardo Paiva"
},
{
"lang": "en",
"value": "Jose Thomaz"
},
{
"lang": "en",
"value": "Joao Maciel"
},
{
"lang": "en",
"value": "Vinicius Pereira"
},
{
"lang": "en",
"value": "Geovanni Campos"
},
{
"lang": "en",
"value": "Hudson Nowak"
},
{
"lang": "en",
"value": "Guilherme Acerbi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:37:28.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.5.91 - Admin+ Arbitrary File Download",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2222",
"STATE": "PUBLIC",
"TITLE": "Download Monitor \u003c 4.5.91 - Admin+ Arbitrary File Download"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Download Monitor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.91",
"version_value": "4.5.91"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thiago Martins"
},
{
"lang": "eng",
"value": "Jorge Buzeti"
},
{
"lang": "eng",
"value": "Leandro Inacio"
},
{
"lang": "eng",
"value": "Lucas de Souza"
},
{
"lang": "eng",
"value": "Matheus Oliveira"
},
{
"lang": "eng",
"value": "Filipe Baptistella"
},
{
"lang": "eng",
"value": "Leonardo Paiva"
},
{
"lang": "eng",
"value": "Jose Thomaz"
},
{
"lang": "eng",
"value": "Joao Maciel"
},
{
"lang": "eng",
"value": "Vinicius Pereira"
},
{
"lang": "eng",
"value": "Geovanni Campos"
},
{
"lang": "eng",
"value": "Hudson Nowak"
},
{
"lang": "eng",
"value": "Guilherme Acerbi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-552 Files or Directories Accessible to External Parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2222",
"datePublished": "2022-07-17T10:37:28.000Z",
"dateReserved": "2022-06-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:32:08.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24786 (GCVE-0-2021-24786)
Vulnerability from nvd – Published: 2022-01-03 12:49 – Updated: 2025-05-22 18:39
VLAI?
Title
Download Monitor < 4.4.5 - Admin+ SQL Injection
Summary
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
Severity ?
7.2 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.4.5 , < 4.4.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-24786",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:38:24.686820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:39:07.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.5",
"status": "affected",
"version": "4.4.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "bl4derunner"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the \"orderby\" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-03T12:49:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.4.5 - Admin+ SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24786",
"STATE": "PUBLIC",
"TITLE": "Download Monitor \u003c 4.4.5 - Admin+ SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Download Monitor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4.5",
"version_value": "4.4.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "bl4derunner"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the \"orderby\" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24786",
"datePublished": "2022-01-03T12:49:03.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2025-05-22T18:39:07.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2981 (GCVE-0-2022-2981)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 00:52
VLAI?
Title
Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
Summary
The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
Severity ?
No CVSS data available.
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.5.98 , < 4.5.98
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.98",
"status": "affected",
"version": "4.5.98",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad of Cloudyrion GmbH"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-10T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.5.98 - Admin+ Arbitrary File Download",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2981",
"datePublished": "2022-10-10T00:00:00.000Z",
"dateReserved": "2022-08-24T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:52:59.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2222 (GCVE-0-2022-2222)
Vulnerability from cvelistv5 – Published: 2022-07-17 10:37 – Updated: 2024-08-03 00:32
VLAI?
Title
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
Summary
The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
Severity ?
No CVSS data available.
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.5.91 , < 4.5.91
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:08.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.5.91",
"status": "affected",
"version": "4.5.91",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thiago Martins"
},
{
"lang": "en",
"value": "Jorge Buzeti"
},
{
"lang": "en",
"value": "Leandro Inacio"
},
{
"lang": "en",
"value": "Lucas de Souza"
},
{
"lang": "en",
"value": "Matheus Oliveira"
},
{
"lang": "en",
"value": "Filipe Baptistella"
},
{
"lang": "en",
"value": "Leonardo Paiva"
},
{
"lang": "en",
"value": "Jose Thomaz"
},
{
"lang": "en",
"value": "Joao Maciel"
},
{
"lang": "en",
"value": "Vinicius Pereira"
},
{
"lang": "en",
"value": "Geovanni Campos"
},
{
"lang": "en",
"value": "Hudson Nowak"
},
{
"lang": "en",
"value": "Guilherme Acerbi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:37:28.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.5.91 - Admin+ Arbitrary File Download",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2222",
"STATE": "PUBLIC",
"TITLE": "Download Monitor \u003c 4.5.91 - Admin+ Arbitrary File Download"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Download Monitor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.5.91",
"version_value": "4.5.91"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thiago Martins"
},
{
"lang": "eng",
"value": "Jorge Buzeti"
},
{
"lang": "eng",
"value": "Leandro Inacio"
},
{
"lang": "eng",
"value": "Lucas de Souza"
},
{
"lang": "eng",
"value": "Matheus Oliveira"
},
{
"lang": "eng",
"value": "Filipe Baptistella"
},
{
"lang": "eng",
"value": "Leonardo Paiva"
},
{
"lang": "eng",
"value": "Jose Thomaz"
},
{
"lang": "eng",
"value": "Joao Maciel"
},
{
"lang": "eng",
"value": "Vinicius Pereira"
},
{
"lang": "eng",
"value": "Geovanni Campos"
},
{
"lang": "eng",
"value": "Hudson Nowak"
},
{
"lang": "eng",
"value": "Guilherme Acerbi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-552 Files or Directories Accessible to External Parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2222",
"datePublished": "2022-07-17T10:37:28.000Z",
"dateReserved": "2022-06-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:32:08.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24786 (GCVE-0-2021-24786)
Vulnerability from cvelistv5 – Published: 2022-01-03 12:49 – Updated: 2025-05-22 18:39
VLAI?
Title
Download Monitor < 4.4.5 - Admin+ SQL Injection
Summary
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
Severity ?
7.2 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Download Monitor |
Affected:
4.4.5 , < 4.4.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:17.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-24786",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:38:24.686820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:39:07.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Download Monitor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.5",
"status": "affected",
"version": "4.4.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "bl4derunner"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the \"orderby\" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-03T12:49:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Download Monitor \u003c 4.4.5 - Admin+ SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24786",
"STATE": "PUBLIC",
"TITLE": "Download Monitor \u003c 4.4.5 - Admin+ SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Download Monitor",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.4.5",
"version_value": "4.4.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "bl4derunner"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the \"orderby\" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24786",
"datePublished": "2022-01-03T12:49:03.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2025-05-22T18:39:07.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}