CVE-2021-24698: 
WordPress vulnerability analysis and mitigation

The Simple Download Monitor WordPress plugin before version 3.9.6 was identified with a security vulnerability tracked as CVE-2021-24698. The vulnerability was discovered and publicly disclosed on October 5, 2021. This security issue affects the thumbnail management functionality of the plugin, specifically impacting access controls for download thumbnails (WPScan, NVD).

The vulnerability is classified as an Improper Access Control (CWE-284) issue with a CVSS v3.1 base score of 4.3 (Medium). The technical assessment reveals that the vulnerability allows users with Contributor-level privileges to remove thumbnails from downloads they do not own, even without proper edit permissions for the download itself. This represents a broken access control vulnerability, categorized under OWASP Top 10 as A5: Broken Access Control (WPScan).

The vulnerability enables unauthorized thumbnail removal operations, allowing users with Contributor-level access to manipulate thumbnails of downloads they don't have permission to edit. This could lead to unauthorized modification of download presentations and potential disruption of content management (NVD).

The vulnerability has been patched in version 3.9.6 of the Simple Download Monitor plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).