The Download Monitor WordPress plugin contains a high-severity IDOR vulnerability that allows unauthorized users to access and download restricted files.

The plugin fails to properly validate user permissions when requesting specific file IDs. This Insecure Direct Object Reference (IDOR) allows an attacker to access sensitive downloads by simply guessing or iterating through resource identifiers.

This vulnerability directly threatens the confidentiality of digital assets, including proprietary software, sensitive documents, or paid content. With a CVSS score of 7.5, the risk is high; unauthorized access to these files could lead to significant intellectual property theft and loss of revenue for organizations relying on the plugin for access control.

Immediate Action: Update the Download Monitor plugin to the latest version immediately to resolve the improper authorization checks.

Proactive Monitoring: Review WordPress access logs for patterns of sequential file requests or access attempts to file IDs that do not belong to the requesting user.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block IDOR-style attacks and directory traversal patterns.

Public Exploit Available: false

The 7.5 CVSS score highlights the urgent need for remediation. Administrators must update the plugin immediately to the latest version to prevent unauthorized users from harvesting sensitive digital assets.