{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39486", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:37.759Z", "datePublished": "2026-04-08T08:30:11.488Z", "dateUpdated": "2026-04-08T08:30:11.488Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "download-monitor", "product": "Download Monitor", "vendor": "WP Chill", "versions": [{"changes": [{"at": "5.1.9", "status": "unaffected"}], "lessThanOrEqual": "5.1.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.941Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.<p>This issue affects Download Monitor: from n/a through <= 5.1.8.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:11.488Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/download-monitor/vulnerability/wordpress-download-monitor-plugin-5-1-8-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Download Monitor plugin <= 5.1.8 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8."}], "id": "CVE-2026-39486", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:23.393", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/download-monitor/vulnerability/wordpress-download-monitor-plugin-5-1-8-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.8]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.1.9,*]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Download Monitor", "source": "cna", "vendor": "WP Chill"}, "product": "download_monitor", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-04-08T09:24:22.951044+00:00", "value": {"mitigation_remediation": ["Update the Download Monitor plugin to the latest available version, which removes the injection flaw. If an upgrade is not possible, temporarily disable or remove the plugin from the site."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to data exposure or unauthorized modifications"}, "threat_synthesis": {"affected_systems": "The affected product is the WP Chill Download Monitor WordPress plugin. Versions from the earliest available through 5.1.8 are vulnerable. Users running any of these versions should be aware that the plugin is susceptible to injection attacks.", "description_and_impact": "The vulnerability is an improper handling of user input in the WP Chill Download Monitor plugin that allows blind SQL injection. This flaw can enable an attacker to execute arbitrary SQL statements against the WordPress database, potentially exposing sensitive data or modifying the database contents. The weakness corresponds to CWE\u201189.", "risk_and_exploitability": "No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog, indicating an unknown or low exploitation probability. The attack vector is inferred to be a web request to the plugin\u2019s input handling endpoint with specially crafted parameters; authentication requirements are unclear, but many similar vulnerabilities are exploitable without authentication. Due to the blind nature of the injection, an attacker would need to repeatedly probe the database to extract information, which may limit the speed of exploitation but still constitutes a serious threat if left unpatched."}}}}, "created": "2026-04-08T19:30:42.517766+00:00", "updated": "2026-04-08T19:43:12.169842+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$download_monitor"]}