CVE-2024-10092

Name of the Vulnerable Software and Affected Versions Download Monitor plugin for WordPress versions up to, and including, 5.0.12

Description The issue allows authenticated attackers with Subscriber-level access and above to modify data without authorization due to a missing capability check on the ajax handle api key actions function. This enables them to revoke existing API keys and generate new ones.

Recommendations For versions up to, and including, 5.0.12, update to a version that includes a fix for the missing capability check in the ajax handle api key actions function to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the ajax handle api key actions function to minimize the risk of exploitation.