CVE-2021-24695
Simple Download Monitor < 3.9.6 - Unauthenticated Log Access
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 1.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
08 Nov 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In short
The Simple Download Monitor plugin saves download logs in an easy-to-guess location without requiring login. Anyone on the internet can access these logs and see sensitive information like IP addresses and usernames.
Technical detail
CWE-425 (Direct Request): The plugin stores logs in a predictable directory without authentication checks, allowing unauthenticated users to directly access and download files containing IP addresses and usernames. No pre-authentication is required; the attacker needs only knowledge of the log file location.
Summary generated and translated by AI from the official description.
The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames
Affected products
Unknown · Simple Download MonitorWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →