The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 22 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2025-05-22T18:39:07.594Z

Reserved: 2021-01-14T00:00:00.000Z

Link: CVE-2021-24786

cve-icon Vulnrichment

Updated: 2024-08-03T19:42:17.204Z

cve-icon NVD

Status : Modified

Published: 2022-01-03T13:15:08.150

Modified: 2025-05-22T19:15:23.933

Link: CVE-2021-24786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.