WordPress Plugin Vulnerabilities

Simple Download Monitor < 3.9.6 - Unauthorised Log Reset

Description

The sdm_reset_log AJAX action of the plugin does not have any capability and CSRF checks, which could allow any authenticated user (such as subscriber), or an attacker performing a CSRF attack against a logged in admin to reset the log entries

Proof of Concept

Affects Plugins

Plugin icon
simple-download-monitor
Fixed in 3.9.6

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
08f4c669-0000-4b17-b762-ae06f5d01538

Timeline

Publicly Published
2021-10-05 (about 4 years ago)
Added
2021-10-05 (about 4 years ago)
Last Updated
2021-10-05 (about 4 years ago)

Other

Published
Title
Published
2020-04-28
Title
Quick Page/Post redirect < 5.2.0 - Authenticated Settings Update
Published
2020-09-05
Title
NextScripts: Social Networks Auto-Poster < 4.3.18 - Insufficient Privilege Validation
Published
2024-04-26
Title
Analytify < 5.2.4 - Missing Authorization to Unauthenticated Google Analytics Tracking ID Modification
Published
2021-09-15
Title
Find My Blocks < 3.4.0 - Private Post Titles Disclosure
Published
2021-04-10
Title
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)