WordPress Plugin Vulnerabilities

Simple Download Monitor < 3.8.9 - SQL Injection

Description

Gen Sato of Mitsui Bussan Secure Directions, discovered an Authenticated (admin+) SQL Injection issue, which could result in an arbitrary SQL command executed if a user accesses a specially crafted URL while logged in.

Affects Plugins

Plugin icon
simple-download-monitor
Fixed in 3.8.9

References

CVE
CVE-2020-5651
URL
https://jvn.jp/en/jp/JVN31425618/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Gen Sato of Mitsui Bussan Secure Directions
Verified
No
WPVDB ID
a0d71b73-05ce-44bb-8902-cedcd743a9ff

Timeline

Publicly Published
2020-10-21 (about 5 years ago)
Added
2020-10-21 (about 5 years ago)
Last Updated
2020-10-23 (about 5 years ago)

Other

Published
Title
Published
2021-10-07
Title
Chameleon CSS <= 1.2 - Subscriber+ SQL Injection
Published
2015-02-03
Title
WordPress <= 1.5.1.2 - XML-RPC SQL Injection
Published
2025-03-31
Title
Uptime Robot Plugin for WordPress <= 2.3 - Authenticated (Contributor+) SQL Injection
Published
2022-03-16
Title
WP Block and Stop Bad Bots < 6.930 - Unauthenticated SQLi
Published
2022-12-05
Title
Contest Gallery < 19.1.5 - Author+ SQL Injection