Skip to main content

Download Monitor

11 CVEs product

Monthly

CVE-2026-39489 MEDIUM This Month

Path traversal in the WordPress Download Monitor plugin (versions <= 5.1.9, by WP Chill) allows a network-accessible attacker with Author-level WordPress credentials to download arbitrary files from the server, achieving high confidentiality impact. The vulnerability (CWE-22) stems from improper sanitization of file paths within the plugin's download functionality, enabling directory traversal outside the intended file scope. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and no EPSS data was provided to quantify exploitation probability.

Path Traversal Download Monitor
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-39486 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.

SQLi Download Monitor
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-8552 MEDIUM PATCH This Month

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Download Monitor
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-30501 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill Download Monitor.9.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Download Monitor
NVD
CVSS 3.1
7.6
EPSS
0.6%
CVE-2023-34007 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.8.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Download Monitor
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2023-31219 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.8.1. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Download Monitor
NVD
CVSS 3.1
4.1
EPSS
0.2%
CVE-2022-2981 MEDIUM POC This Month

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Path Traversal PHP Download Monitor
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-2222 MEDIUM POC This Month

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal WordPress Information Disclosure Download Monitor
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2012-4768 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress Download Monitor
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
1.9%
CVE-2013-5098 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP XSS Download Monitor
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2013-3262 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the p. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

WordPress PHP XSS Download Monitor
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 0% CVSS 4.4
MEDIUM This Month

Path traversal in the WordPress Download Monitor plugin (versions <= 5.1.9, by WP Chill) allows a network-accessible attacker with Author-level WordPress credentials to download arbitrary files from the server, achieving high confidentiality impact. The vulnerability (CWE-22) stems from improper sanitization of file paths within the plugin's download functionality, enabling directory traversal outside the intended file scope. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and no EPSS data was provided to quantify exploitation probability.

Path Traversal Download Monitor
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.

SQLi Download Monitor
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Download Monitor
NVD
EPSS 1% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill Download Monitor.9.4. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Download Monitor
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.8.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Download Monitor
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.8.1. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Download Monitor
NVD
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Path Traversal +2
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal WordPress +2
NVD WPScan
EPSS 2% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress Download Monitor
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP XSS +1
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the p. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

WordPress PHP XSS +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy