Vulnerabilities > Tipsandtricks HQ > Simple Download Monitor > 3.9.5

DATE CVE VULNERABILITY TITLE RISK
2022-01-24 CVE-2021-24694 Cross-site Scripting vulnerability in Tipsandtricks-Hq Simple Download Monitor
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.
network
low complexity
tipsandtricks-hq CWE-79
5.4
5.4
2022-01-24 CVE-2021-24696 Unspecified vulnerability in Tipsandtricks-Hq Simple Download Monitor
The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads
network
low complexity
tipsandtricks-hq
8.8
8.8
2021-11-08 CVE-2021-24698 Unspecified vulnerability in Tipsandtricks-Hq Simple Download Monitor
The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.
network
low complexity
tipsandtricks-hq
4.3
4.3