CVE-2025-8977

Vulnerability

Overview

The Simple Download Monitor plugin for WordPress, versions up to and including 3.9.33, is vulnerable to time-based SQL Injection. The vulnerability exists in the handling of the order parameter, where insufficient escaping and lack of proper preparation on the existing SQL query allow an attacker to inject malicious SQL. This flaw is present in the plugin's database query construction, as seen in the reference code that creates the sdm_downloads table [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level access and have the necessary permissions granted by an Administrator. The attack is performed by manipulating the order parameter in a request, which is then used in an SQL query without adequate sanitization. The time-based nature of the injection means the attacker can infer information by observing response delays, making it possible to extract data even without direct output.

Impact

Successful exploitation allows an authenticated attacker to append additional SQL queries to existing ones, potentially extracting sensitive information from the WordPress database. This could include user credentials, session tokens, or other confidential data stored in the database. The CVSS v3 score of 6.5 (Medium) reflects the need for authentication but also the potential for significant data exposure.

Mitigation

As of the publication date, the vulnerability affects all versions up to and including 3.9.33. Users should update to a patched version if available, or apply a workaround such as restricting access to the plugin's functionality for untrusted users. The vendor has not yet released a fix, so administrators should monitor for updates and consider temporary measures like disabling the plugin or using a web application firewall to block malicious requests.