Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total9
Critical1
High2
Medium6
Reset
Showing 1-9 of 9 records
Threat Entry Updated 2026-04-15

CVE-2026-2383 - Simple Download Monitor Plugin

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Download Monitor

CVE-2026-2383

MEDIUM CVSS 6.4 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-8977 - Simple Download Monitor Plugin

The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Simple Download Monitor

CVE-2025-8977

MEDIUM CVSS 6.5 2025-08-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24692 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

PLUGIN Simple Download Monitor

CVE-2021-24692

MEDIUM CVSS 6.5 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24696 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

PLUGIN Simple Download Monitor

CVE-2021-24696

HIGH CVSS 8.8 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24694 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

PLUGIN Simple Download Monitor

CVE-2021-24694

MEDIUM CVSS 5.4 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24693 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin

PLUGIN Simple Download Monitor

CVE-2021-24693

CRITICAL CVSS 9.0 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24695 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames

PLUGIN Simple Download Monitor

CVE-2021-24695

HIGH CVSS 7.5 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24697 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

PLUGIN Simple Download Monitor

CVE-2021-24697

MEDIUM CVSS 6.1 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24698 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.

PLUGIN Simple Download Monitor

CVE-2021-24698

MEDIUM CVSS 4.3 2021-11-08
Open Full Technical Breakdown
Scroll to top