CVE-2021-24786: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24786 affects the WordPress Download Monitor plugin versions below 4.4.5. This SQL injection vulnerability was discovered and publicly disclosed on October 20, 2021. The vulnerability exists in the plugin's log viewing functionality, specifically affecting administrators and users with higher privileges (WPScan Vuln).

The vulnerability stems from improper validation and escaping of the 'orderby' GET parameter when viewing logs in the Download Monitor plugin. When processing this parameter in SQL statements, the lack of proper sanitization creates an SQL injection vulnerability. The vulnerability has been assigned a CVSS score of 6.8 (medium severity) and is classified under CWE-89 and OWASP Top 10 A1: Injection category (WPScan Vuln).

This vulnerability allows authenticated users with administrative privileges to perform SQL injection attacks through the log viewing functionality. The impact is limited to installations where there is at least one log entry present in the system. An attacker could potentially execute arbitrary SQL commands, leading to unauthorized data access or manipulation of the WordPress database (WPScan Vuln).

The vulnerability has been fixed in Download Monitor version 4.4.5. Users are strongly advised to update their installations to this version or newer to mitigate the risk. No alternative workarounds have been published (WPScan Vuln).