CVE-2021-24696 — Cross-Site Request Forgery in Simple Download Monitor

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 70.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tipsandtricks-hq Simple Download Monitor

Timeline

PublishedJan 24

Latest updateJan 25

Description

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDtipsandtricks-hq/simple_download_monitor< 3.9.9

🔴Vulnerability Details

GHSA

GHSA-58fg-5cpg-7jjv: The Simple Download Monitor WordPress plugin before 3↗2022-01-25

▶

CVEList

Simple Download Monitor < 3.9.9 - Multiple CSRF↗2022-01-24

▶