WordPress Plugin Vulnerabilities

Download Monitor < 4.9.14 - Missing Authorization

Description

The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the plugin and delete its data.

Affects Plugins

Plugin icon
download-monitor
Fixed in 4.9.14

References

CVE
CVE-2024-3269
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c454a958-91c4-4847-91f6-dedebf857964

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
18aa245b-6fce-4a56-b957-ee303e4ee8e0

Timeline

Publicly Published
2024-05-29 (about 2 years ago)
Added
2024-05-29 (about 2 years ago)
Last Updated
2024-05-29 (about 2 years ago)

Other

Published
Title
Published
2026-02-24
Title
WPGSI: Spreadsheet Integration < 3.8.4 - Missing Authorization to Unauthenticated Arbitrary Post Creation and Deletion via Forged Base64 Token
Published
2026-06-23
Title
24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action
Published
2023-11-07
Title
EazyDocs < 2.3.6 - Unauthenticated OnePage Document Update/Publish
Published
2025-01-03
Title
Social Media Share Buttons | MashShare <= 4.0.47 - Missing Authorization
Published
2026-02-20
Title
weMail < 2.0.8 - Missing Authorization to Unauthenticated Form Deletion