CVE-2022-45354 Scanner

Download Monitor is a widely-used WordPress plugin designed for managing and tracking file downloads on WordPress sites. It is utilized by website owners to offer downloadable content while keeping track of download counts and user access. This plugin is essential for businesses, educational platforms, and content creators who need to securely distribute files to their audience. It offers features like download logging, user access control, and file protection to prevent unauthorized access. The plugin enhances WordPress sites by providing an organized and efficient way to handle downloadable content.

CVE-2022-45354 identifies a high-severity Sensitive Information Exposure vulnerability in versions up to and including 4.7.60 of the Download Monitor WordPress plugin. This vulnerability allows unauthenticated attackers to access sensitive data through the REST API, including user reports, download reports, and detailed user data such as email, role, and ID. This exposure does not include passwords but can lead to significant privacy breaches and unauthorized access to restricted information.

The vulnerability arises because the plugin does not properly restrict access to the REST API endpoint /wp-json/download-monitor/v1/user_data. As a result, sensitive information about users and downloads can be accessed without authentication. The exposed data includes, but is not limited to, user email addresses, roles, IDs, and download activities. This oversight in API security can be exploited by sending a simple HTTP GET request to the vulnerable endpoint.

Exploiting this vulnerability can lead to various adverse impacts, including data breaches, privacy violations, and potentially unauthorized actions on the website. Attackers could use the exposed information for phishing attacks, identity theft, or to gain further access to the website's administrative functions. The exposure of user and download data undermines the confidentiality and integrity of the website, posing a significant risk to both site owners and users.

By joining the securityforeveryone platform, users gain access to a powerful toolset designed to identify and mitigate vulnerabilities like CVE-2022-45354 in Download Monitor. Our platform's comprehensive security scans and assessments enable website owners to detect potential exposures early, safeguarding their digital assets against unauthorized access and data breaches. Membership provides peace of mind through continuous monitoring, expert support, and actionable insights to maintain robust security postures in an ever-evolving threat landscape.

References

• https://github.com/RandomRobbieBF/CVE-2022-45354
• https://wordpress.org/plugins/download-monitor/
• https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-7-60-sensitive-data-exposure-vulnerability?_s_id=cve