Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Download Monitor Plugin Allows Attackers to Delete or Modify Download Paths
CVE-2026-4401
Summary
The Download Monitor plugin for WordPress is at risk because it doesn't properly check the source of some requests. This could allow an attacker to trick an administrator into deleting, disabling, or enabling download paths on the website. To protect your site, update to the latest version of the plugin, or consider disabling the plugin until an update is available.
Original title
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versio...
Original description
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
nvd CVSS3.1
5.4
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.1.8/src/Admin...
- https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.1.8/src/Admin...
- https://plugins.trac.wordpress.org/browser/download-monitor/trunk/src/Admin/Down...
- https://plugins.trac.wordpress.org/browser/download-monitor/trunk/src/Admin/Down...
- https://plugins.trac.wordpress.org/changeset?old_path=/download-monitor/tags/5.1...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/33d70481-4652-44f4-99c...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026