CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24663 – WordPress Simple Download Monitor plugin <= 3.9.25 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-24663
24 Jan 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Ruhul Amin, Josh Lobe Simple Download Monitor allows Blind SQL Injection. This issue affects Simple Download Monitor: from n/a through 3.9.25. The Simple Download Monitor plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.9.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This... • https://patchstack.com/database/wordpress/plugin/simple-download-monitor/vulnerability/wordpress-simple-download-monitor-plugin-3-9-25-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24694 – Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes
https://notcve.org/view.php?id=CVE-2021-24694
21 Dec 2021 — The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode. El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.11, podía permitir a usuarios con un rol tan bajo como el de Contribuyente llevar a cabo un ataque de tipo Cross-Site Scripting Almacenado por medio... • https://wpscan.com/vulnerability/9d0d8f8c-f8fb-457f-b557-255a052ccc32 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24696 – Simple Download Monitor < 3.9.9 - Multiple CSRF
https://notcve.org/view.php?id=CVE-2021-24696
21 Dec 2021 — The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.9, no aplica las comprobaciones de nonce, lo que podría permitir a atacantes llevar a cabo ataques de tipo CSRF para 1) hace... • https://wpscan.com/vulnerability/e94772af-39ac-4743-a556-52351ebda9fe • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24693 – Simple Download Monitor < 3.9.5 - Contributor+ Stored Cross-Site Scripting via File Thumbnail
https://notcve.org/view.php?id=CVE-2021-24693
05 Oct 2021 — The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin El plugin Simple Download ... • https://wpscan.com/vulnerability/4bb559b7-8dde-4c90-a9a6-d8dcfbea53a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-24695 – Simple Download Monitor < 3.9.6 - Unauthenticated Log Access
https://notcve.org/view.php?id=CVE-2021-24695
05 Oct 2021 — The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.6, guarda los registros en una ubicación predecible y no presenta ninguna autenticación o autorización para evitar que los usuarios no autenticados ... • https://wpscan.com/vulnerability/d7bdaf2b-cdd9-4aee-b1bb-01728160ff25 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-425: Direct Request ('Forced Browsing') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24697 – Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24697
05 Oct 2021 — The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.5, no escapa de los parámetros 1) sdm_active_tab GET y 2) sdm_stats_start_date/sdm_stats_end_date POST antes de devolverlos en atributos, conllevando a problemas de tipo Cro... • https://wpscan.com/vulnerability/ef9ae513-6c29-45c2-b5ae-4a06a217c499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24698 – Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal
https://notcve.org/view.php?id=CVE-2021-24698
05 Oct 2021 — The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download. El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.6, permite a usuarios con un rol tan bajo como el de Contribuyente eliminar las miniaturas de las descargas de las que no son propietarios, incluso si normalmente no pueden editar la descarga • https://wpscan.com/vulnerability/1fda1356-77d8-4e77-9ee6-8f9ceeb3d380 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24692 – Simple Download Monitor < 3.9.5 - Contributor+ Arbitrary File Download via Path Traversal
https://notcve.org/view.php?id=CVE-2021-24692
02 Sep 2021 — The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector. El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.5, permite a usuarios con un rol tan bajo como el de Contribuyente descargar cualquier archivo del servidor web (como wp-config.php) por medio de un vector de path traversal • https://wpscan.com/vulnerability/4c9fe97e-3d9b-4079-88d9-34e2d0605215 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5650 – Simple Download Monitor <= 3.8.8 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-5650
21 Oct 2020 — Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. Una vulnerabilidad de tipo Cross-site scripting en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos inyectar script arbitrario por medio de vectores no especificados The Simple Download Monitor plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.8.8 due to insufficient input s... • https://jvn.jp/en/jp/JVN31425618/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5651 – Simple Download Monitor <= 3.8.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2020-5651
21 Oct 2020 — SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. Una vulnerabilidad de inyección de SQL en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de una URL especialmente diseñada The Simple Download Monitor plugin for WordPress is vulnerable to generic SQL Injection in versions up to, and including, 3.8.8 due to insufficient es... • https://jvn.jp/en/jp/JVN31425618/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •