CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30501 – WordPress Download Monitor theme <= 4.9.4 - Auth. SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-30501
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.9.4. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en WPChill Download Monitor. Este problema afecta a Download Monitor: desde n/a hasta 4.9.4. The Download Monitor plugin for WordPress is vulnerable to SQL Injection via the 'limit' parameter in all versions up to 4.9.5 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-theme-4-9-4-admin-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-5212 – Simple Download Monitor < 3.5.4 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5212
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload_thumbnail (aka File Thumbnail) parameter in an edit action to wp-admin/post.php. El plugin Simple Download Monitor en versiones anteriores a la 3.5.4 para WordPress tiene Cross-Site Scripting (XSS) mediante el parámetro sdm_upload_thumbnail (también conocido como File Thumbnail) en una acción edit en wp-admin/post.php. • https://github.com/Arsenal21/simple-download-monitor/commit/8ab8b9166bc87feba26a1573cf595af48eff7805 https://github.com/Arsenal21/simple-download-monitor/issues/27 https://github.com/d4wner/Vulnerabilities-Report/blob/master/simple-download-monitor.md https://wordpress.org/support/topic/stored-xss-bug-at-the-latest-version-of-simple-download-monitor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2018-5213 – Simple Download Monitor < 3.5.4 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5213
The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php. El plugin Simple Download Monitor en versiones anteriores a la 3.5.4 para WordPress tiene Cross-Site Scripting (XSS) mediante el parámetro sdm_upload (también conocido como Downloadable File) en una acción edit en wp-admin/post.php. • https://github.com/Arsenal21/simple-download-monitor/commit/8ab8b9166bc87feba26a1573cf595af48eff7805 https://github.com/Arsenal21/simple-download-monitor/issues/27 https://github.com/d4wner/Vulnerabilities-Report/blob/master/simple-download-monitor.md https://wordpress.org/support/topic/stored-xss-bug-at-the-latest-version-of-simple-download-monitor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •