CVE-2022-45354
published 2024-01-08CVE-2022-45354: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.08%
98.4th percentile
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpchill | download_monitor | <= 4.7.60 | — |
| wpchill | download_monitor | n/a – 4.7.60 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send unauthenticated GET request to /wp-json/download-monitor/v1/user_data and check for HTTP 200 with Content-Type application/json and body containing both '"registered":' and '"display_name":' ↗
- →Identify vulnerable WordPress installations by fingerprinting the presence of the Download Monitor plugin path in HTML responses ↗
- ·Vulnerability is exploitable without authentication via the REST API endpoint; no credentials or special headers are required ↗
- ·Affected versions are Download Monitor up to and including 4.7.60; versions beyond this are not affected ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gq65-6w6h-w9gj: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor
ghsa_unreviewed·2024-01-08
CVE-2022-45354 [MEDIUM] CWE-200 GHSA-gq65-6w6h-w9gj: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.
VulnCheck
WPChill Download Monitor Information Disclosure
vulncheck·2022·CVSS 5.3
CVE-2022-45354 [MEDIUM] WPChill Download Monitor Information Disclosure
WPChill Download Monitor Information Disclosure
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.
Affected: wpchill download_monitor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability; https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/download-monitor/download-monitor-4760-sensitive-information-exposure-via-rest-api
Exploit PoC: https://vulncheck.com/xdb/4df5b4759634
No detection rules found.
Nuclei
Download Monitor <= 4.7.60 - Sensitive Information Exposure
nuclei·CVSS 7.5
CVE-2022-45354 [HIGH] Download Monitor <= 4.7.60 - Sensitive Information Exposure
Download Monitor <= 4.7.60 - Sensitive Information Exposure
The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including email, role, id and other info (not passwords)
Template:
id: CVE-2022-45354
info:
name: Download Monitor <= 4.7.60 - Sensitive Information Exposure
author: DhiyaneshDK
severity: high
description: |
The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and us
No writeups or analysis indexed.
https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability?_s_id=cve
2024-01-08
Published
Exploited in the wild