The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Download Monitor WordPress plugin versions up to 5.1.10 contain a Cross-Site Request Forgery vulnerability in download path management functions due to missing nonce verification. Unauthenticated attackers can trick administrators into deleting, disabling, or enabling download paths through forged requests.
يحتوي مكون Download Monitor للـ WordPress على ثغرة CSRF في دوال معالجة الإجراءات بسبب عدم التحقق من رموز nonce. يمكن للمهاجمين غير المصرح لهم خداع مسؤولي الموقع لحذف أو تعطيل أو تفعيل مسارات التنزيل المعتمدة. تؤثر الثغرة على جميع الإصدارات حتى 5.1.10.
The Download Monitor WordPress plugin versions up to 5.1.10 contain a Cross-Site Request Forgery vulnerability in download path management functions due to missing nonce verification. Unauthenticated attackers can trick administrators into deleting, disabling, or enabling download paths through forged requests.
Update the Download Monitor plugin to version 5.1.11 or later immediately. Ensure all WordPress installations using this plugin are patched. Implement Web Application Firewall rules to detect and block suspicious CSRF attempts. Train administrators on phishing and social engineering risks.
قم بتحديث مكون Download Monitor إلى الإصدار 5.1.11 أو أحدث فوراً. تأكد من تصحيح جميع تثبيتات WordPress التي تستخدم هذا المكون. طبق قواعد جدار حماية تطبيقات الويب للكشف عن محاولات CSRF المريبة وحجبها. درب المسؤولين على مخاطر التصيد الاحتيالي والهندسة الاجتماعية.