Description
Author Arbitrary File Download in Download Monitor <= 5.1.9 versions.
Published: 2026-06-15
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to download any file stored on the server via the WordPress Download Monitor plugin, enabling unauthorized retrieval of arbitrary files. It is a CWE-22 Path Traversal weakness that permits reading of system files. Although it does not provide code execution, the ability to read arbitrary files can lead to information disclosure and further compromise.

Affected Systems

Affects WordPress installations that include the Download Monitor plugin up to and including version 5.1.9, bundled by WP Chill. No higher versions are currently affected. All servers running any of those plugin versions are potentially susceptible.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. The exploitation path most likely involves a remote attacker sending a specially crafted request to the plugin’s download endpoint; authentication may or may not be required depending on how the plugin is configured.

Generated by OpenCVE AI on June 18, 2026 at 01:05 UTC.

Remediation

Vendor Solution

Update the WordPress Download Monitor Plugin to the latest available version (at least 5.1.10).


OpenCVE Recommended Actions

  • Update the WordPress Download Monitor Plugin to version 5.1.10 or later.
  • If the plugin is not required, consider disabling or removing it from the WordPress installation.
  • Restrict access to the plugin’s download interface to authorized users only, such as limiting it to administrators.

Generated by OpenCVE AI on June 18, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill download Monitor
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill download Monitor

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Author Arbitrary File Download in Download Monitor <= 5.1.9 versions.
Title WordPress Download Monitor plugin <= 5.1.9 - Non-Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wordpress Wordpress
Wpchill Download Monitor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:17:06.535Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39489

cve-icon Vulnrichment

Updated: 2026-06-15T22:17:02.519Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:44.610

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:15:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')