Simple Download Monitor < 3.9.6 – Unauthenticated Log Access | CVE 2021-24695 | Plugin Vulnerabilities

Description

The plugin saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames

Proof of Concept

https://example.com/wp-content/plugins/simple-download-monitor/sdm-download-logs.csv

Note: if the file is not created yet, then the admin has to export logs first, then anyone can download the log. Exporting can also be done via the separate CSRF.

Affects Plugins

simple-download-monitor

Fixed in 3.9.6

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

d7bdaf2b-cdd9-4aee-b1bb-01728160ff25

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2025-12-08

Title

Custom Field Template <= 2.7.5 - Authenticated (Subscriber+) Information Exposure

Published

2023-10-18

Title

Popup by Supsystic < 1.10.20 - Missing Authorization to Sensitive Information Exposure

Published

2022-08-01

Title

Simple Job Board < 2.10.0 - Resume Disclosure via Directory Listing

Published

2024-08-20

Title

Flamix: Bitrix24 and Contact Form 7 integrations < 3.2.0 - Unauthenticated Full Path Disclosure

Published

2025-03-25

Title

Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates < 1.6.9 - Authenticated (Contributor+) Sensitive Information Exposure