Description
The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-08-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection leading to data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The Simple Download Monitor WordPress plugin is vulnerable to a time‑based SQL Injection via the "order" parameter in its Log Export feature. This flaw stems from insufficient escaping and lack of prepared statements, allowing an attacker to inject additional SQL statements. The impact is the potential extraction of sensitive database information. The weakness is classified as CWE‑89 (SQL Injection).

Affected Systems

All installations of the Simple Download Monitor plugin with versions up to and including 3.9.33 are affected. An attacker must be a WordPress user with Contributor-level access or higher, and they also need the permissions granted by an Administrator to exploit the vulnerability.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access: a Contributor with the necessary permissions can inject arbitrary SQL via the order parameter, potentially compromising database confidentiality. Due to the moderate CVSS and low EPSS, the risk is considered moderate but should be addressed promptly to prevent possible future exploitation.

Generated by OpenCVE AI on April 21, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Download Monitor plugin to the latest available version to receive the vendor‑supplied fix for the SQL injection issue.
  • If an upgrade is not immediately possible, restrict Contributor‑level users from accessing the Log Export functionality by adjusting role capabilities or removing the feature entirely.
  • If the plugin cannot be updated or disabled, consider removing the vulnerable order parameter from the export URL or disabling the Log Export feature until a patch can be applied.

Generated by OpenCVE AI on April 21, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26079 The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:25.012Z

Reserved: 2025-08-13T16:34:38.511Z

Link: CVE-2025-8977

cve-icon Vulnrichment

Updated: 2025-08-28T13:36:32.662Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T05:15:32.473

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')