Which Simple Download Monitor CVEs are tracked?

Simple Download Monitor tracked CVEs include CVE-2021-24693, CVE-2021-24696, CVE-2020-5651, CVE-2025-8977, and CVE-2021-24692.

How many Simple Download Monitor vulnerabilities have patch guidance?

17 of 17 tracked Simple Download Monitor records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 17 known issues Latest disclosed Feb 26, 2026

Simple Download Monitor Vulnerabilities

Review known vulnerability records for the WordPress plugin Simple Download Monitor (`simple-download-monitor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-2383, CVE-2025-58197 and CVE-2025-8977, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Feb 27, 2026

Priority CVE Quick Links

Fast paths into Simple Download Monitor CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2021-24693 Critical 3.9.5

CVE-2021-24693 Simple Download Monitor Stored Cross-Site Scripting

Simple Download Monitor <= 3.9.4 - Contributor+ Stored Cross-Site Scripting via File Thumbnail

CVE-2021-24696 High 3.9.9

CVE-2021-24696 Simple Download Monitor Cross-Site Request Forgery

Simple Download Monitor <= 3.9.8 - Multiple Cross-Site Request Forgery vulnerabilities

CVE-2020-5651 High 3.8.9

CVE-2020-5651 Simple Download Monitor SQL Injection

Simple Download Monitor <= 3.8.8 - SQL Injection

CVE-2025-8977 Medium 3.9.34

CVE-2025-8977 Simple Download Monitor SQL Injection

Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

CVE-2021-24692 Medium 3.9.5

CVE-2021-24692 Simple Download Monitor Vulnerability

Simple Download Monitor <= 3.9.4 - Contributor+ Arbitrary File Download

CVE-2026-2383 Medium 4.0.6

CVE-2026-2383 Simple Download Monitor Stored Cross-Site Scripting

Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

CVE-2025-58197 Medium 3.9.35

CVE-2025-58197 Simple Download Monitor Stored Cross-Site Scripting

Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2018-5212 Medium 3.5.4

CVE-2018-5212 Simple Download Monitor Stored Cross-Site Scripting

Simple Download Monitor < 3.5.4 - Authenticated Stored Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Simple Download Monitor so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

17 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

2 critical and 2 high severity findings.

Recent CVEs

CVE-2026-2383, CVE-2025-58197 and CVE-2025-8977

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-2383 Medium Patch path listed

CVE-2026-2383: Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitizat...

Published

Feb 26, 2026

Patch Status

4.0.6

Open CVE-2026-2383 Report

CVE-2025-58197 Medium Patch path listed

CVE-2025-58197: Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.9.34 due to insufficient input sanitization and output escap...

Published

Aug 27, 2025

Patch Status

3.9.35

Open CVE-2025-58197 Report

CVE-2025-8977 Medium Patch path listed

CVE-2025-8977: Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping o...

Published

Aug 27, 2025

Patch Status

3.9.34

Open CVE-2025-8977 Report

Known Vulnerabilities

Reports for Simple Download Monitor

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-2383

CVE-2026-2383: Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribu...

Published

Feb 26, 2026

Patched Release

4.0.6

Affected Versions

Versions up to 4.0.5

Next Step

Update to 4.0.6 or newer if supported.

Open CVE-2026-2383 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-58197

CVE-2025-58197: Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.9.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and...

Published

Aug 27, 2025

Patched Release

3.9.35

Affected Versions

Versions up to 3.9.34

Next Step

Update to 3.9.35 or newer if supported.

Open CVE-2025-58197 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-8977

CVE-2025-8977: Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

Published

Aug 27, 2025

Patched Release

3.9.34

Affected Versions

Versions up to 3.9.33

Next Step

Update to 3.9.34 or newer if supported.

Open CVE-2025-8977 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-24663

CVE-2025-24663: Simple Download Monitor <= 3.9.25 - Authenticated (Administrator+) SQL Injection

The Simple Download Monitor plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.9.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authentica...

Published

Jan 24, 2025

Patched Release

3.9.26

Affected Versions

Versions up to 3.9.25

Next Step

Update to 3.9.26 or newer if supported.

Open CVE-2025-24663 Report Open CVE Reference

Plugin High Patched: Yes CVE-2021-24696

CVE-2021-24696: Simple Download Monitor <= 3.9.8 - Multiple Cross-Site Request Forgery vulnerabilities

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remo...

Published

Dec 21, 2021

Patched Release

3.9.9

Affected Versions

Versions up to 3.9.8

Next Step

Update to 3.9.9 or newer if supported.

Open CVE-2021-24696 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-24694

CVE-2021-24694: Simple Download Monitor <= 3.9.10 - Contributor+ Stored Cross-Site Scripting via Shortcodes

The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form s...

Published

Dec 21, 2021

Patched Release

3.9.11

Affected Versions

Versions up to 3.9.10

Next Step

Update to 3.9.11 or newer if supported.

Open CVE-2021-24694 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-24695

CVE-2021-24695: Simple Download Monitor <= 3.9.5 - Sensitive Data Exposure

The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and...

Published

Oct 05, 2021

Patched Release

3.9.6

Affected Versions

Versions before 3.9.6

Next Step

Update to 3.9.6 or newer if supported.

Open CVE-2021-24695 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2021-24693

CVE-2021-24693: Simple Download Monitor <= 3.9.4 - Contributor+ Stored Cross-Site Scripting via File Thumbnail

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered e...

Published

Oct 05, 2021

Patched Release

3.9.5

Affected Versions

Versions up to 3.9.4

Next Step

Update to 3.9.5 or newer if supported.

Open CVE-2021-24693 Report Open CVE Reference

Plugin Medium Patched: Yes

Simple Download Monitor <= 3.9.5 - Log Reset

The Simple Download Monitor plugin for WordPress is vulnerable to Log Resets in versions up to, and including, 3.9.5. This is due to a lack of nonce and capability checks on the 'sdm_reset_log' AJAX action. This makes it possible for authenticated subscriber-level attackers and a...

Published

Oct 05, 2021

Patched Release

3.9.6

Affected Versions

Versions up to 3.9.5

Next Step

Update to 3.9.6 or newer if supported.

Open Full Report

Plugin Medium Patched: Yes CVE-2021-24698

CVE-2021-24698: Simple Download Monitor <= 3.9.5 - Contributor+ Arbitrary Thumbnail Removal

The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.

Published

Oct 05, 2021

Patched Release

3.9.6

Affected Versions

Versions before 3.9.6

Next Step

Update to 3.9.6 or newer if supported.

Open CVE-2021-24698 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-24697

CVE-2021-24697: Simple Download Monitor <= 3.9.4 - Reflected Cross-Site Scripting

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Published

Oct 05, 2021

Patched Release

3.9.5

Affected Versions

Versions before 3.9.5

Next Step

Update to 3.9.5 or newer if supported.

Open CVE-2021-24697 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-24692

CVE-2021-24692: Simple Download Monitor <= 3.9.4 - Contributor+ Arbitrary File Download

The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.

Published

Sep 02, 2021

Patched Release

3.9.5

Affected Versions

Versions before 3.9.5

Next Step

Update to 3.9.5 or newer if supported.

Open CVE-2021-24692 Report Open CVE Reference