Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24786 — SQL Injection in Download Monitor

CWE-89 — SQL Injection6 documents6 sources

Severity

7.2HIGHNVD

EPSS

2.2%

top 15.43%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wpchill Download Monitor

Timeline

PublishedJan 3

Latest updateFeb 27

Description

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶NVDwpchill/download_monitor< 4.4.5

🔴Vulnerability Details

GHSA

GHSA-xgj6-2p43-6fvx: The Download Monitor WordPress plugin before 4↗2022-01-04

▶

CVEList

Download Monitor < 4.4.5 - Admin+ SQL Injection↗2022-01-03

▶

💥Exploits & PoCs

Exploit-DB

Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)↗2022-02-02

▶

Nuclei

Download Monitor < 4.4.5 - SQL Injection

▶

💬Community

Bugzilla

CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]↗2023-02-27

▶