WPChill Download Monitor
Moderate fix1 remedy
cpe:2.3:a:wpchill:download_monitor:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.1.10
Download Monitor WordPress Plugin Cross-Site Request Forgery Vulnerability
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Download Monitor plugin for WordPress, affecting all versions through 5.1.10. The issue arises in the 'actions_handler()' and 'bulk_actions_handler()' methods of 'class-dlm-downloads-path.php', where nonce verification is absent. This vulnerability allows unauthenticated attackers to manipulate approved download paths by deleting, disabling, or enabling them, provided they can deceive a site administrator into clicking a link.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in the status of download paths, allowing for their deletion, disabling, or enabling without proper authorization.
Reproduction
To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce verification in the 'actions_handler()' and 'bulk_actions_handler()' methods. This can be done by tricking a site administrator into clicking a link that triggers the forged request, thereby manipulating the approved download paths.
Remediation
Users are advised to update the Download Monitor plugin to version 5.1.11 or later, where this vulnerability has been patched.
Added: Apr 8, 2026, 12:40 AM
Updated: Apr 8, 2026, 12:40 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
2.5exploitability
7.4remediation
7.7relevance
5.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.