CVE-2024-10092
📋 TL;DR
The Download Monitor WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to revoke existing API keys and generate new ones. This occurs because the ajax_handle_api_key_actions function lacks proper capability checks. WordPress sites using Download Monitor versions up to 5.0.12 are affected.
💻 Affected Systems
- Download Monitor WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with subscriber access could disrupt legitimate API key usage, potentially breaking integrations that rely on these keys for authentication or authorization.
Likely Case
Malicious users could revoke legitimate API keys, causing service disruptions for applications or users relying on those keys for download access.
If Mitigated
With proper user access controls and monitoring, impact is limited to potential temporary service disruption until legitimate keys are restored.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.13 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3173614/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Download Monitor and click 'Update Now'. 4. Alternatively, download version 5.0.13+ from WordPress plugin repository and replace the plugin files.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Download Monitor plugin until patched
wp plugin deactivate download-monitor
wp plugin delete download-monitor
Restrict user roles
allTemporarily restrict Subscriber role permissions or remove unnecessary subscriber accounts
🧯 If You Can't Patch
- Implement strict user access controls and monitor for suspicious API key activity
- Consider using alternative download management solutions temporarily
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Download Monitor version. If version is 5.0.12 or lower, you are vulnerable.Check Version:
wp plugin list --name=download-monitor --field=versionVerify Fix Applied:
After updating, verify Download Monitor version is 5.0.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual API key generation or revocation events
- Multiple API key operations from single user accounts
- API key changes from non-administrator accounts
Network Indicators:
- Unusual patterns in API key usage or authentication failures
SIEM Query:
source="wordpress" AND (event="api_key_revoked" OR event="api_key_generated") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.12/src/KeyGeneration/class-dlm-key-generation.php#L299
- https://plugins.trac.wordpress.org/changeset/3173614/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f1e50d8c-e61c-4e94-b5e8-b24832dc24b6?source=cve
