Does Simple Download Monitor have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Simple Download Monitor compatible with WordPress 7.0?

According to WordPress.org data, Simple Download Monitor 4.0.6 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

How often is Simple Download Monitor updated?

Simple Download Monitor was last updated on Mar 27, 2026. Frequent updates are generally a positive security signal.

What is Simple Download Monitor's security score?

Simple Download Monitor has a WP-Safety security score of 77/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Simple Download Monitor Security & Risk Analysis

wordpress.org/plugins/simple-download-monitor

Easily manage downloadable files and monitor downloads of your digital files from your WordPress site.

20K active installs v4.0.6 PHP + WP 6.0+ Updated Mar 27, 2026

countcounterdownloaddownloadstracker

B · Generally Safe

CVEs total17

Unpatched0

Last CVEFeb 26, 2026

Plugin page Download

Safety Verdict

Is Simple Download Monitor Safe to Use in 2026?

Mostly Safe

Score 77/100

Simple Download Monitor is generally safe to use. 17 past CVEs were resolved.

17 known CVEsLast CVE: Feb 26, 2026Updated 1mo ago

Risk Assessment

The 'simple-download-monitor' plugin v4.0.6 exhibits a mixed security posture. While it demonstrates good practices in SQL query sanitization (83% prepared) and output escaping (78%), several areas raise concerns. A significant attack surface exists with 23 entry points, 5 of which lack authentication checks, indicating a potential for unauthorized access or manipulation.

The taint analysis reveals 9 flows with unsanitized paths, two of which are flagged as high severity. This suggests a risk of path traversal or other file system vulnerabilities if these flows are exploited. Coupled with a history of 17 known CVEs, including 2 critical and 2 high severity vulnerabilities, the plugin has a track record of significant security weaknesses.

While there are currently no unpatched CVEs and the use of prepared statements is commendable, the recurring nature of critical and high severity vulnerabilities in its history, along with the identified unsanitized path flows and unprotected AJAX handlers, points to persistent security issues. The plugin's past indicates a need for careful monitoring and prompt patching of any newly discovered vulnerabilities. Users should be aware of the potential risks associated with its attack surface and taint analysis findings.

Key Concerns

5 unprotected AJAX handlers
2 high severity taint flows
9 flows with unsanitized paths
2 critical CVEs (historically)
2 high CVEs (historically)
4 Capability checks (low)

Vulnerabilities

17 published

Simple Download Monitor Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

2 CVEs in 2018

2018

2 CVEs in 2020

2020

8 CVEs in 2021

2021

3 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

17 total CVEs

CVE-2026-2383medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

Feb 26, 2026 Patched in 4.0.6 (1d)

CVE-2025-8977medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

Aug 27, 2025 Patched in 3.9.34 (1d)

CVE-2025-58197medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 27, 2025 Patched in 3.9.35 (8d)

CVE-2025-24663medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Simple Download Monitor <= 3.9.25 - Authenticated (Administrator+) SQL Injection

Jan 24, 2025 Patched in 3.9.26 (5d)

CVE-2021-24696high · 8.8Cross-Site Request Forgery (CSRF)

Simple Download Monitor <= 3.9.8 - Multiple Cross-Site Request Forgery vulnerabilities

Dec 21, 2021 Patched in 3.9.9 (763d)

CVE-2021-24694medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 3.9.10 - Contributor+ Stored Cross-Site Scripting via Shortcodes

Dec 21, 2021 Patched in 3.9.11 (763d)

CVE-2021-24693critical · 9Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 3.9.4 - Contributor+ Stored Cross-Site Scripting via File Thumbnail

Oct 5, 2021 Patched in 3.9.5 (840d)

CVE-2021-24698medium · 4.3Improper Access Control

Simple Download Monitor <= 3.9.5 - Contributor+ Arbitrary Thumbnail Removal

Oct 5, 2021 Patched in 3.9.6 (840d)

CVE-2021-24695medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Simple Download Monitor <= 3.9.5 - Sensitive Data Exposure

Oct 5, 2021 Patched in 3.9.6 (840d)

WF-70493df9-82b8-4160-8d75-889fada7541f-simple-download-monitormedium · 4.3Missing Authorization

Simple Download Monitor <= 3.9.5 - Log Reset

Oct 5, 2021 Patched in 3.9.6 (840d)

CVE-2021-24697medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 3.9.4 - Reflected Cross-Site Scripting

Oct 5, 2021 Patched in 3.9.5 (840d)

CVE-2021-24692medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Simple Download Monitor <= 3.9.4 - Contributor+ Arbitrary File Download

Sep 2, 2021 Patched in 3.9.5 (873d)

CVE-2020-5650medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor <= 3.8.8 - Unauthenticated Stored Cross-Site Scripting

Oct 21, 2020 Patched in 3.3.9 (1189d)

CVE-2020-5651high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Simple Download Monitor <= 3.8.8 - SQL Injection

Oct 21, 2020 Patched in 3.8.9 (1189d)

CVE-2018-5212medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor < 3.5.4 - Authenticated Stored Cross-Site Scripting

Jan 2, 2018 Patched in 3.5.4 (2212d)

CVE-2018-5213medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Download Monitor < 3.5.4 - Authenticated Stored Cross-Site Scripting

Jan 2, 2018 Patched in 3.5.4 (2212d)

WF-f5ad74c5-93ba-414c-98ad-0987547f172f-simple-download-monitorcritical · 9.9Improper Authorization

Simple Download Monitor <= 3.2.8 - Missing Authorization

Jan 19, 2016 Patched in 3.2.9 (2926d)

Version History

Simple Download Monitor Release Timeline

v4.0.6Current

v4.0.51 CVE

v4.0.41 CVE

v4.0.31 CVE

v4.0.21 CVE

v4.0.11 CVE

v4.0.01 CVE

v3.9.351 CVE

v3.9.342 CVEs

CVE-2026-2383 CVE-2025-58197

v3.9.333 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.323 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.313 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.303 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.293 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.283 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.273 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.263 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-58197

v3.9.254 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-24663 +1 more

v3.9.244 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-24663 +1 more

v3.9.234 CVEs

CVE-2025-8977 CVE-2026-2383 CVE-2025-24663 +1 more

Code Analysis

Analyzed Mar 16, 2026

Simple Download Monitor Code Analysis

Dangerous Functions

Raw SQL Queries

40 prepared

Unescaped Output

318 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

83% prepared48 total queries

Output Escaping

78% escaped410 total outputs

Data Flows · Security

9 unsanitized

Data Flow Analysis

17 flows9 with unsanitized paths

sdm_handle_individual_logs_tab_page (includes\admin-side\sdm-admin-individual-item-logs-page.php:3)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

Simple Download Monitor Attack Surface

Entry Points23

Unprotected5

AJAX Handlers 9

authwp_ajax_sdm_remove_thumbnail_imageincludes\admin-side\sdm-admin-edit-download.php:12

authwp_ajax_sdm_feedback_notice_dismissincludes\admin-side\sdm-admin-user-feedback.php:23

authwp_ajax_sdm_reset_logmain.php:120

authwp_ajax_sdm_delete_datamain.php:121

authwp_ajax_sdm_export_logsmain.php:122

noprivwp_ajax_sdm_tiny_get_post_idsmain.php:976

authwp_ajax_sdm_tiny_get_post_idsmain.php:977

noprivwp_ajax_sdm_pop_catsmain.php:1004

authwp_ajax_sdm_pop_catsmain.php:1005

Shortcodes 14

[sdm_download] sdm-shortcodes.php:13

[sdm-download] sdm-shortcodes.php:14

[sdm_download_counter] sdm-shortcodes.php:15

[sdm-download-counter] sdm-shortcodes.php:16

[sdm_latest_downloads] sdm-shortcodes.php:17

[sdm-latest-downloads] sdm-shortcodes.php:18

[sdm_popular_downloads] sdm-shortcodes.php:19

[sdm_download_link] sdm-shortcodes.php:21

[sdm_show_all_dl] sdm-shortcodes.php:23

[sdm_show_dl_from_category] sdm-shortcodes.php:25

[sdm_download_categories] sdm-shortcodes.php:26

[sdm_download_categories_list] sdm-shortcodes.php:28

[sdm_search_form] sdm-shortcodes.php:29

[sdm_show_download_info] sdm-shortcodes.php:31

WordPress Hooks 60

actionadd_meta_boxes_sdm_downloadsincludes\admin-side\sdm-admin-edit-download.php:6

actionsave_post_sdm_downloadsincludes\admin-side\sdm-admin-edit-download.php:7

filterwp_insert_post_dataincludes\admin-side\sdm-admin-edit-download.php:9

actionadmin_noticesincludes\admin-side\sdm-admin-user-feedback.php:22

actionsdm_file_protection_settings_updatedincludes\file-protection\sdm-file-protection-handler.php:12

filterupload_dirincludes\file-protection\sdm-file-protection-handler.php:15

actionadd_attachmentincludes\file-protection\sdm-file-protection-handler.php:18

filterwp_prepare_attachment_for_jsincludes\file-protection\sdm-file-protection-handler.php:21

actionpre_get_postsincludes\file-protection\sdm-file-protection-handler.php:24

actionplugins_loadedincludes\integrations\class-sdm-emember-integration.php:13

actionsdm_file_protection_settings_updatedincludes\integrations\class-sdm-emember-integration.php:14

actionsdm_after_file_protection_settings_fieldsincludes\integrations\class-sdm-emember-integration.php:15

actionsdm_process_download_requestincludes\integrations\class-sdm-emember-integration.php:29

actionsdm_sf_process_download_requestincludes\integrations\class-sdm-emember-integration.php:30

filtersdm_download_button_code_htmlincludes\integrations\class-sdm-emember-integration.php:33

actionplugins_loadedincludes\integrations\class-sdm-swpm-integration.php:12

actionsdm_file_protection_settings_updatedincludes\integrations\class-sdm-swpm-integration.php:13

actionsdm_after_file_protection_settings_fieldsincludes\integrations\class-sdm-swpm-integration.php:14

actionsdm_process_download_requestincludes\integrations\class-sdm-swpm-integration.php:25

actionsdm_sf_process_download_requestincludes\integrations\class-sdm-swpm-integration.php:26

filtersdm_download_button_code_htmlincludes\integrations\class-sdm-swpm-integration.php:29

filterswpm_not_logged_in_post_msgincludes\integrations\class-sdm-swpm-integration.php:72

filterswpm_restricted_post_msg_older_postincludes\integrations\class-sdm-swpm-integration.php:73

filterswpm_restricted_post_msgincludes\integrations\class-sdm-swpm-integration.php:74

filterallowed_optionsincludes\sdm-admin-menu-handler.php:17

actionadmin_enqueue_scriptsincludes\sdm-admin-menu-handler.php:19

actioninitincludes\sdm-blocks.php:6

filterlogin_redirectincludes\sdm-user-login-related.php:17

actionplugins_loadedmain.php:90

actioninitmain.php:103

actionadmin_initmain.php:104

actionwpmain.php:105

actionadmin_noticesmain.php:167

filterplugin_action_linksmain.php:324

actioninitmain.php:345

actioninitmain.php:346

actioninitmain.php:347

actionwp_enqueue_scriptsmain.php:350

actionadmin_menumain.php:359

actionadmin_enqueue_scriptsmain.php:363

actionadmin_print_stylesmain.php:364

actionadmin_initmain.php:366

filterpage_row_actionsmain.php:369

filterpost_row_actionsmain.php:370

actionadmin_action_sdm_clone_postmain.php:372

filtermanage_edit-sdm_downloads_columnsmain.php:1050

filtermanage_edit-sdm_downloads_sortable_columnsmain.php:1051

actionmanage_sdm_downloads_posts_custom_columnmain.php:1052

filterthe_titlesdm-post-type-content-handler.php:8

filterthe_contentsdm-post-type-content-handler.php:24

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:204

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:205

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:206

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:207

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:208

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:209

filtersdm_downloads_descriptionsdm-post-type-content-handler.php:210

filtersdm_cpt_below_download_descriptionsdm-post-type-content-handler.php:228

filtersdm_fancy1_below_download_descriptionsdm-post-type-content-handler.php:229

filterwidget_textsdm-shortcodes.php:3

Maintenance & Trust

Simple Download Monitor Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedMar 27, 2026

PHP min version

Downloads1.3M

Community Trust

Rating92/100

Number of ratings151

Active installs20K

Alternatives

Simple Download Monitor Alternatives

Simple Download Counter

simple-download-counter

Simply counts the number of times your files are downloaded. Display download links and counts using shortcodes.

2K 5 CVEs

Counten- Sale Counter Advanced

counten-sale-counter-advanced

A Sale Counter Plugin work with the Easy Digital Download Products

300 No CVEs

Download Counter

download-counter

Counts the number of downloads for files and displays a table with the results.

20 1 unpatched

Coupon Counter for EDD

edd-coupon-counter

Easily display the remaining or used coupon codes with Easy Digital Downloads (EDD).

10 No CVEs

Lana Downloads Manager

lana-downloads-manager

Downloadable files management system

3K 3 CVEs

Developer Profile

Simple Download Monitor Developer Profile

mra13

15 plugins · 210K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

616 days

View full developer profile

Detection Fingerprints

How We Detect Simple Download Monitor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/simple-download-monitor/css/jquery.ui.min.css

Version Parameters

simple-download-monitor/css/jquery.ui.min.css?ver=

HTML / DOM Fingerprints

Data Attributes

data-sdm-id

JS Globals

sdm_is_logged_insdm_download_count_increment

Shortcode Output

[sdm_download_counter][sdm_download_link][sdm_download_details][sdm_download_list]

FAQ

Simple Download Monitor Security & Risk Analysis

Is Simple Download Monitor Safe to Use in 2026?

Mostly Safe

Key Concerns

Simple Download Monitor Security Vulnerabilities

CVEs by Year

Severity Breakdown

Simple Download Monitor Release Timeline

Simple Download Monitor Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Simple Download Monitor Attack Surface

AJAX Handlers 9

Shortcodes 14

Simple Download Monitor Maintenance & Trust

Maintenance Signals

Community Trust

Simple Download Monitor Alternatives

Simple Download Counter

Counten- Sale Counter Advanced

Download Counter

Coupon Counter for EDD

Lana Downloads Manager

Simple Download Monitor Developer Profile

How We Detect Simple Download Monitor

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Simple Download Monitor