CVE-2021-24696

HIGH

Simple Download Monitor <3.9.9 - CSRF

Title source: llm
STIX 2.1

Description

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/e94772af-39ac-4743-a556-52351ebda9fe

Scores

CVSS v3 8.8
EPSS 0.0063
EPSS Percentile 45.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
tipsandtricks-hq/simple_download_monitor < 3.9.9
Published Jan 24, 2022
Tracked Since Feb 18, 2026