PatchSiren cyber security CVE debrief
CVE-2026-39489 WP Chill CVE debrief
CVE-2026-39489 is a medium-severity vulnerability (CVSS Score: 4.4) affecting the Download Monitor plugin for WordPress, specifically versions up to 5.1.9. The issue allows an author to download arbitrary files. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].
- Vendor
- WP Chill
- Product
- Download Monitor
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the Download Monitor plugin for WordPress, particularly those with authors who have access to the plugin's functionality, should be aware of this vulnerability.
Technical summary
The vulnerability is characterized as CWE-22, which relates to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N.
Defensive priority
This vulnerability is considered medium severity and requires attention, especially if the plugin is used in an environment where authors have significant access.
Recommended defensive actions
- Update the Download Monitor plugin to a version beyond 5.1.9 if available.
- Restrict access to the plugin's functionality to trusted users only.
- Monitor for any suspicious activity related to file downloads.
Evidence notes
Evidence for this CVE comes from Patchstack, as noted in the source item.
Official resources
-
CVE-2026-39489 CVE record
CVE.org
-
CVE-2026-39489 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39489 was published on 2026-06-15T21:16:44.610Z and last modified on 2026-06-15T21:24:32.790Z.