Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total12
Critical0
High2
Medium9
Reset
Showing 1-12 of 12 records
Threat Entry Updated 2026-04-08

CVE-2026-4401 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Download Monitor

CVE-2026-4401

MEDIUM CVSS 5.4 2026-04-08
Open Full Technical Breakdown
Threat Entry Updated 2026-03-30

CVE-2026-3124 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.

PLUGIN Download Monitor

CVE-2026-3124

HIGH CVSS 7.5 2026-03-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-01

CVE-2024-10399 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.

PLUGIN Download Monitor

CVE-2024-10399

MEDIUM CVSS 4.3 2024-10-30
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-10092 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

PLUGIN Download Monitor

CVE-2024-10092

MEDIUM CVSS 4.3 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8552 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

PLUGIN Download Monitor

CVE-2024-8552

MEDIUM CVSS 4.3 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3269 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the plugin and delete its data.

PLUGIN Download Monitor

CVE-2024-3269

MEDIUM CVSS 5.4 2024-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2981 - Download Monitor Plugin

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

PLUGIN Download Monitor

CVE-2022-2981

MEDIUM CVSS 4.9 2022-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2222 - Download Monitor Plugin

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

PLUGIN Download Monitor

CVE-2022-2222

MEDIUM CVSS 4.9 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2021-24786 - Download Monitor Plugin

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

PLUGIN Download Monitor

CVE-2021-24786

HIGH CVSS 7.2 2022-01-03
Open Full Technical Breakdown
Scroll to top