Published:2020/10/21 Last Updated:2020/10/21
JVN#31425618
Multiple vulnerabilities in WordPress Plugin "Simple Download Monitor"
Overview
WordPress Plugin "Simple Download Monitor" contains multiple vulnerabilities.
Products Affected
- Simple Download Monitor 3.8.8 and earlier
Description
WordPress Plugin "Simple Download Monitor" provided by Tips and Tricks HQ contains multiple vulnerabilities listed below.
- Cross-site Scripting (CWE-79) - CVE-2020-5650
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3 - SQL Injection (CWE-89) - CVE-2020-5651
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L Base Score: 5.4 CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:P Base Score: 5.8
Impact
- An arbitrary script may be executed on the logged in user's web browser - CVE-2020-5650
- An arbitrary SQL command may be executed if a user accesses a specially crafted URL while logged in - CVE-2020-5651
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Tips and Tricks HQ | Simple Download Monitor |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-5650 |
|
CVE-2020-5651 |
|
| JVN iPedia |
JVNDB-2020-000069 |