VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 26 known issues Latest disclosed Mar 29, 2026

Download Monitor Vulnerabilities

Review known vulnerability records for the WordPress plugin Download Monitor (`download-monitor`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
26
High or Critical
8
Linked CVEs
22
Last Updated
Mar 29, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Download Monitor so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
26 records include a published patch path.
Severity Mix
1 critical and 7 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Download Monitor

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-3124
Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'

The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to co...

Published
Mar 29, 2026
Patched Release
5.1.8
Affected Versions
Versions up to 5.1.7
Next Step
Update to 5.1.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-47439
Download Monitor <= 5.0.22 - Authenticated (Contributor+) Local File Inclusion

The Download Monitor plugin for WordPress is vulnerable to Local File Inclusion via the get_template_part() function in versions up to, and including, 5.0.22. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbit...

Published
May 07, 2025
Patched Release
5.0.23
Affected Versions
Versions up to 5.0.22
Next Step
Update to 5.0.23 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10399
Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level...

Published
Oct 29, 2024
Patched Release
5.0.14
Affected Versions
Versions up to 5.0.13
Next Step
Update to 5.0.14 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10092
Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscr...

Published
Oct 25, 2024
Patched Release
5.0.13
Affected Versions
Versions up to 5.0.12
Next Step
Update to 5.0.13 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-8552
Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level acce...

Published
Sep 25, 2024
Patched Release
5.0.10
Affected Versions
Versions up to 5.0.9
Next Step
Update to 5.0.10 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3269
Download Monitor <= 4.9.13 - Missing Authorization

The Download Monitor plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on the dlm_uninstall_plugin function in all versions up to, and including, 4.9.13. This makes it possible for authenticated attackers to uninstall the...

Published
May 29, 2024
Patched Release
4.9.14
Affected Versions
Versions up to 4.9.13
Next Step
Update to 4.9.14 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-30501
Download Monitor <= 4.9.4 - Authenticated (Admin+) SQL Injection

The Download Monitor plugin for WordPress is vulnerable to SQL Injection via the 'limit' parameter in all versions up to 4.9.5 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possi...

Published
Jan 08, 2024
Patched Release
4.9.5
Affected Versions
Versions before 4.9.5
Next Step
Update to 4.9.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-34007
Download Monitor <= 4.8.3 - Authenticated(Subscriber+) Arbitrary File Upload via upload_file

The Download Monitor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and access controls on the 'upload_file' function in versions up to, and including, 4.8.3. This makes it possible for authenticated attackers with subscriber-leve...

Published
Jun 07, 2023
Patched Release
4.8.4
Affected Versions
Versions before 4.8.4
Next Step
Update to 4.8.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-31219
Download Monitor <= 4.8.1 - Authenticated (Admin+) Server-Side Request Forgery

The Download Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 4.8.1 via the trigger() function. This makes it possible for authenticated attackers with administrative privileges to make web requests to arbitrary locations...

Published
May 30, 2023
Patched Release
4.8.2
Affected Versions
Versions up to 4.8.1
Next Step
Update to 4.8.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-45354
Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API

The Download Monitor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.7.60 via REST API. This can allow unauthenticated attackers to extract sensitive data including user reports, download reports, and user data including em...

Published
May 10, 2023
Patched Release
4.7.70
Affected Versions
Versions up to 4.7.60
Next Step
Update to 4.7.70 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2022-4972
Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export

The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and o...

Published
Nov 26, 2022
Patched Release
4.7.52
Affected Versions
Versions up to 4.7.51
Next Step
Update to 4.7.52 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes
Download Monitor <= 4.7.2 - Authenticated Directory Traversal to Sensitive Information Exposure

The Download Monitor plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.7.2 via the list_files function. This allows users with manage_downloads permissions to read the contents of arbitrary files on the server, which can contain sensiti...

Published
Nov 01, 2022
Patched Release
4.7.3
Affected Versions
Versions up to 4.7.2
Next Step
Update to 4.7.3 or newer if supported.
Open Full Report