Wpchill Download Monitor

WordPress DM <=5.1.10 CSRF via actions_handler()
CVE-2026-4401 5.4 - Medium - April 07, 2026

The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Session Riding

Insecure Direct Object Reference in Download Monitor <=5.1.7 executePayment()
CVE-2026-3124 7.5 - High - March 30, 2026

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

Insecure Direct Object Reference / IDOR

Download Monitor <=5.0.13: Cap Check Leak Sub Access
CVE-2024-10399 4.3 - Medium - October 30, 2024

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.

AuthZ

Unauthorized API Key Modification in Download Monitor WP plugin up to v5.0.12
CVE-2024-10092 4.3 - Medium - October 26, 2024

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

AuthZ

Download Monitor 4.7.51 REST API Auth Bypass
CVE-2022-4972 7.5 - High - October 16, 2024

The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators.

AuthZ

Download Monitor <=5.0.9 allows Subscriber to enable shop via enable_shop()
CVE-2024-8552 4.3 - Medium - September 26, 2024

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

AuthZ

WordPress Download Monitor 4.9.13 Unauth. Uninstall via missing Capability check
CVE-2024-3269 5.4 - Medium - May 30, 2024

The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the plugin and delete its data.

AuthZ

SQLI in WPChill Download Monitor <=4.9.4
CVE-2024-30501 7.2 - High - March 29, 2024

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.9.4.

SQL Injection

WPChill Download Monitor <=4.7.60: Sensitive Info Disclosure to Unauthorized Actor
CVE-2022-45354 5.3 - Medium - January 08, 2024

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.

Information Disclosure

WPChill DM Unrestricted Upload of Dangerous File (4.8.3)
CVE-2023-34007 8.8 - High - December 20, 2023

Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3.

Unrestricted File Upload

SSRF in WPChill Download Monitor up to 4.8.1
CVE-2023-31219 4.9 - Medium - November 13, 2023

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.1.

Download Monitor <=4.5.97 Arbitrary File Download
CVE-2022-2981 4.9 - Medium - October 10, 2022

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Files or Directories Accessible to External Parties

The Download Monitor WordPress plugin before 4.5.91 does not ensure
CVE-2022-2222 4.9 - Medium - July 17, 2022

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Files or Directories Accessible to External Parties

Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6)
CVE-2021-31567 6.8 - Medium - January 28, 2022

Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It's also possible to escape from the web server home directory and download any file within the OS.

Information Disclosure

Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title
CVE-2021-23174 3.4 - Low - January 28, 2022

Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6) Vulnerable parameters: &post_title, &downloadable_file_version[0].

XSS

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6).
CVE-2021-36920 4.8 - Medium - January 14, 2022

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress plugin Download Monitor (versions <= 4.4.6).

XSS

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs
CVE-2021-24786 7.2 - High - January 03, 2022

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

SQL Injection