CVE-2026-39486 - Vulnerability Details

- WordPress Download Monitor plugin <= 5.1.8 - SQL Injection vulnerability

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.

Published: 2026-04-08

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper handling of user input in the WP Chill Download Monitor plugin that allows blind SQL injection. This flaw can enable an attacker to execute arbitrary SQL statements against the WordPress database, potentially exposing sensitive data or modifying the database contents. The weakness corresponds to CWE‑89.

Affected Systems

The affected product is the WP Chill Download Monitor WordPress plugin. Versions from the earliest available through 5.1.8 are vulnerable. Users running any of these versions should be aware that the plugin is susceptible to injection attacks.

Risk and Exploitability

The EPSS score is less than 1%, indicating a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 7.6 indicates high severity. The attack vector is inferred to be a web request to the plugin’s input handling endpoint with specially crafted parameters; authentication requirements are unclear, but many similar vulnerabilities are exploitable without authentication. Due to the blind nature of the injection, an attacker would need to repeatedly probe the database to extract information, which may limit the speed of exploitation but still constitutes a serious threat if left unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WP Chill

Download Monitor

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.8

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpchill

Download Monitor

98%

Version	Status	Scheme	Platform
`[0,5.1.8]`	affected	semver	—
`[5.1.9,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WP Chill Download Monitor plugin to the latest release (≥ 5.1.9) to apply the vendor‑provided fix.
If an immediate upgrade is not feasible, restrict the plugin’s administrative interface to trusted IP addresses or require stronger authentication to minimize exposure.
After making changes, monitor the WordPress database for anomalous queries or unexpected access patterns that may indicate attempted or ongoing SQL injection activity.

Generated by OpenCVE AI on April 22, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/download-monitor/vulnerability/wordpress-download-monitor-plugin-5-1-8-sql-injection-vulnerability?_s_id=cve

History

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}`	cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}`

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpchill Wpchill download Monitor
Vendors & Products		Wordpress Wordpress wordpress Wpchill Wpchill download Monitor

Wed, 08 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.
Title		WordPress Download Monitor plugin <= 5.1.8 - SQL Injection vulnerability
Weaknesses		CWE-89
References		https://patchstack.com/database/Wordpress/Plugin/download-monitor/vulnerability/wordpress-download-monitor-plugin-5-1-8-sql-injection-vulnerability?_s_id=cve

Subscriptions

Wordpress Wordpress

Wpchill Download Monitor

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-04-08T08:30:11.488Z

Updated: 2026-04-29T09:52:01.879Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39486

Vulnrichment

Updated: 2026-04-14T14:09:02.478Z

NVD

Status : Deferred

Published: 2026-04-08T09:16:23.393

Modified: 2026-04-29T10:17:24.887

Link: CVE-2026-39486

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:45:11Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object