CVE-2021-24693

Name of the Vulnerable Software and Affected Versions Simple Download Monitor WordPress plugin versions prior to 3.9.5

Description The issue allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks due to the lack of escaping of the File Thumbnail post meta before outputting it in some pages. This could lead to the execution of JavaScript code in the context of a reviewer, such as an admin, potentially resulting in the creation of a rogue admin account or the installation of a malicious plugin.

Recommendations For versions prior to 3.9.5, update to version 3.9.5 or later to resolve the issue. As a temporary workaround, consider restricting the role of users who can access and modify the File Thumbnail post meta to prevent potential exploitation.