CVE-2025-24663: 
WordPress vulnerability analysis and mitigation

The Simple Download Monitor WordPress plugin versions up to 3.9.25 contains a SQL Injection vulnerability (CVE-2025-24663). The vulnerability was discovered by researcher shinobu and was publicly disclosed on January 24, 2025. This security issue affects administrator-level users and above who have authenticated access to WordPress installations running the affected plugin versions (WPScan, Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries in the Simple Download Monitor plugin. This security flaw is classified as an SQL Injection (SQLI) vulnerability, falling under the OWASP Top 10 category A1: Injection and CWE-89. The vulnerability has received a CVSS score of 4.9 (medium) according to WPScan, while Patchstack rates it at 7.6 (low) (WPScan, Patchstack).

The vulnerability allows authenticated attackers with administrator-level access to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to and manipulation of the WordPress database (WPScan, Patchstack).

The vulnerability has been patched in version 3.9.26 of the Simple Download Monitor plugin. Website administrators are advised to update to this version or later to remediate the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins as an additional security measure (Patchstack).