CVE-2022-4972
📋 TL;DR
The Download Monitor WordPress plugin up to version 4.7.51 has an authorization bypass vulnerability in REST-API reporting routes. Unauthenticated attackers can access sensitive information intended for administrators, including user data. This affects all WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- WordPress Download Monitor plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all user data, download logs, and potentially pivot to other attacks using stolen information.
Likely Case
Unauthenticated attackers accessing sensitive reporting data, user information, and potentially download statistics.
If Mitigated
Limited impact if proper network segmentation and web application firewalls block unauthorized REST-API access.
🎯 Exploit Status
Simple HTTP requests to vulnerable REST endpoints can trigger the vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.52 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Download Monitor and update to version 4.7.52 or later. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable REST-API endpoints
allBlock access to vulnerable REST endpoints using web application firewall or .htaccess rules
# Add to .htaccess to block specific endpoints
RewriteEngine On
RewriteRule ^wp-json/download-monitor/v1/reports - [F,L]
Disable plugin
linuxTemporarily disable the Download Monitor plugin until patched
wp plugin deactivate download-monitor
🧯 If You Can't Patch
- Implement strict network access controls to limit REST-API access to trusted IPs only
- Deploy web application firewall with rules to block unauthorized access to /wp-json/download-monitor/v1/reports endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Download Monitor version. If version is 4.7.51 or lower, you are vulnerable.Check Version:
wp plugin list --name=download-monitor --field=versionVerify Fix Applied:
After updating, verify Download Monitor version shows 4.7.52 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /wp-json/download-monitor/v1/reports/* endpoints
- Multiple 200 responses to REST-API endpoints from unauthenticated users
Network Indicators:
- Unusual spikes in requests to WordPress REST-API endpoints
- GET/POST requests to download-monitor reporting endpoints without authentication headers
SIEM Query:
source="web_server" AND (uri_path="/wp-json/download-monitor/v1/reports" OR uri_path LIKE "/wp-json/download-monitor/v1/reports/%") AND http_status=200 AND NOT (user_agent LIKE "%bot%" OR user_agent LIKE "%crawl%" OR authenticated_user EXISTS)🔗 References
- https://plugins.trac.wordpress.org/changeset/2822758/download-monitor/trunk/src/Admin/Reports/class-dlm-reports.php?contextall=1&old=2821522&old_path=%2Fdownload-monitor%2Ftrunk%2Fsrc%2FAdmin%2FReports%2Fclass-dlm-reports.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9000c52-fdd7-43e2-ae6a-9f127c4a9fcd?source=cve
