CVE-2024-10399
📋 TL;DR
The Download Monitor WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to retrieve usernames and email addresses of all site users. This occurs because the ajax_search_users function lacks proper capability checks. All WordPress sites using Download Monitor versions up to 5.0.13 are affected.
💻 Affected Systems
- WordPress Download Monitor plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all user emails and usernames for phishing campaigns, credential stuffing attacks, or targeted social engineering against administrators and privileged users.
Likely Case
Low-privilege authenticated users can enumerate all site users, potentially identifying administrators for targeted attacks or gathering email addresses for spam.
If Mitigated
With proper network segmentation and user access controls, the impact is limited to information disclosure within the WordPress environment.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.14 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3178099/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php?contextall=1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Download Monitor and click 'Update Now'. 4. Verify plugin version is 5.0.14 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate Download Monitor plugin until patched
wp plugin deactivate download-monitor
Restrict user registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts
🧯 If You Can't Patch
- Implement strict user access controls and monitor for suspicious user enumeration attempts
- Deploy web application firewall rules to block requests to the vulnerable ajax_search_users endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Download Monitor version. If version is 5.0.13 or lower, system is vulnerable.Check Version:
wp plugin get download-monitor --field=versionVerify Fix Applied:
After updating, confirm Download Monitor version is 5.0.14 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to /wp-admin/admin-ajax.php with action=dlm_ajax_search_users from low-privilege user accounts
- Unusual user enumeration patterns in WordPress logs
Network Indicators:
- POST requests to admin-ajax.php with dlm_ajax_search_users parameter from non-admin IP addresses
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "dlm_ajax_search_users" AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.13/src/KeyGeneration/class-dlm-key-generation.php#L266
- https://plugins.trac.wordpress.org/changeset/3178099/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php?contextall=1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/03b88862-012a-4dc6-9abb-99dc0d9408fd?source=cve
