CVE-2024-10092 — Missing Authorization in Download Monitor

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 72.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wpchill Download Monitor

Timeline

PublishedOct 26

Description

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5wpchill/download_monitor5.0.12

🔴Vulnerability Details

CVEList

Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation↗2024-10-26

▶

GHSA

GHSA-447p-4w4j-j4w9: The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_↗2024-10-26

▶