Download Monitor
Approved changes feed: RSS · Atom
cpe:2.3:a:wpchill:download_monitor:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Wpchill (229d438d-d20e-586d-ac2f-e6b4e123f9dc) |
|---|---|
| Product | Download Monitor (fe526bfc-fae6-5c9f-8411-17ec860df08c) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/wpchill/download-monitor |
purl2cpe | 2026-06-01 10:12:17.992257 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-4401 |
vulnerable | 2026-06-03 15:26:25.427987 |
Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling
MEDIUM (5.4)
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-04-07T23:25:27.305Z
Updated: 2026-04-13T15:15:10.823Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3124 |
vulnerable | 2026-06-03 15:22:13.844996 |
Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'
HIGH (7.5)
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.
Published: 2026-03-30T01:24:44.783Z
Updated: 2026-04-08T16:49:33.008Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8552 |
vulnerable | 2026-06-03 14:58:18.723809 |
Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable
MEDIUM (4.3)
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.
Published: 2024-09-26T02:03:24.869Z
Updated: 2026-04-08T16:47:05.354Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3269 |
vulnerable | 2026-06-03 14:56:23.837148 |
Download Monitor <= 4.9.13 - Missing Authorization
MEDIUM (5.4)
The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the plugin and delete its data.
Published: 2024-05-30T03:34:29.217Z
Updated: 2026-04-08T17:20:36.860Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-30501 |
vulnerable | 2026-06-03 14:55:38.473997 |
WordPress Download Monitor theme <= 4.9.4 - Auth. SQL Injection vulnerability
HIGH (7.6)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.9.4.
Published: 2024-03-29T14:06:52.184Z
Updated: 2026-04-28T16:09:25.195Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10399 |
vulnerable | 2026-06-03 14:54:05.497649 |
Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure
MEDIUM (4.3)
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.
Published: 2024-10-30T05:32:14.606Z
Updated: 2026-04-08T16:32:59.699Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10092 |
vulnerable | 2026-06-03 14:54:04.877274 |
Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation
MEDIUM (4.3)
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.
Published: 2024-10-26T07:36:08.238Z
Updated: 2026-04-08T17:32:32.318Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-34007 |
vulnerable | 2026-06-03 14:52:15.357662 |
WordPress Download Monitor Plugin <= 4.8.3 is vulnerable to Arbitrary File Upload
CRITICAL (9.9)
Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3.
Published: 2023-12-20T18:49:45.694Z
Updated: 2026-04-28T16:08:26.817Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-31219 |
vulnerable | 2026-06-03 14:51:55.064632 |
WordPress Download Monitor Plugin <= 4.8.1 is vulnerable to Server Side Request Forgery (SSRF)
MEDIUM (4.1)
Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.1.
Published: 2023-11-13T02:24:15.809Z
Updated: 2026-04-28T16:08:21.001Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-4972 |
vulnerable | 2026-06-03 14:48:43.518243 |
Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export
HIGH (7.5)
The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators.
Published: 2024-10-16T06:43:39.366Z
Updated: 2026-04-08T17:14:03.214Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-45354 |
vulnerable | 2026-06-03 14:48:24.026602 |
WordPress Download Monitor Plugin <= 4.7.60 is vulnerable to Sensitive Data Exposure
MEDIUM (5.3)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.
Published: 2024-01-08T20:45:20.169Z
Updated: 2026-04-28T16:07:52.284Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-23174 |
vulnerable | 2026-06-03 14:43:54.746076 |
WordPress Download Monitor plugin <= 4.4.6 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
LOW (3.4)
Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].
Published: 2022-01-28T19:09:52.936Z
Updated: 2026-04-28T16:07:34.370Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.