CVE-2021-24786 – This SQL injection vulnerability in the Downloa... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the Download Monitor WordPress plugin allows attackers to manipulate database queries by injecting malicious SQL code through the 'orderby' parameter. It affects WordPress sites using vulnerable plugin versions, potentially exposing sensitive data like user credentials or allowing database manipulation.

💻 Affected Systems

Products:

Download Monitor WordPress Plugin

Versions: All versions before 4.4.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Download Monitor plugin enabled

📦 What is this software?

Download Monitor by Wpchill

View all CVEs affecting Download Monitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, or site takeover

🟠

Likely Case

Unauthorized data access including download logs, user information, or plugin settings

🟢

If Mitigated

Limited impact with proper input validation and database permissions

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the logs page which typically requires authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.5

Vendor Advisory: https://wordpress.org/plugins/download-monitor/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Download Monitor
4. Click 'Update Now' if available
5. Or download version 4.4.5+ from WordPress repository
6. Upload and replace existing plugin

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Download Monitor plugin until patched

wp plugin deactivate download-monitor

Restrict Access

all

Limit access to WordPress admin panel and logs functionality

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Download Monitor version number

Check Version:

wp plugin get download-monitor --field=version

Verify Fix Applied:

Confirm plugin version is 4.4.5 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel

Network Indicators:

HTTP requests with SQL injection patterns in orderby parameter

SIEM Query:

SELECT * FROM web_logs WHERE url LIKE '%orderby=%' AND (url LIKE '%SELECT%' OR url LIKE '%UNION%' OR url LIKE '%--%')

📊 Metadata

CVE ID: CVE-2021-24786

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 3, 2022

Last Updated: May 22, 2025

🔗 References

https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa Exploit,Third Party Advisory
https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24786, you might also want to check these: