WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion

Description

The plugin does not properly validate the path of the file saved within the download post to ensure it is a safe file type or is associated with a download post. As a result, authenticated users able to create downloads, could delete arbitrary files from the server

Affects Plugins

download-manager
Fixed in version 3.2.51

References

CVE
CVE-2022-2431
URL
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/

Classification

Type

FILE DELETION

OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73

Miscellaneous

Original Researcher

Chloe Chamberland

Verified

Yes

WPVDB ID
0f249c1a-ccab-4746-b55b-23d7e3218d24

Timeline

Publicly Published

2022-08-03 (about 6 months ago)

Added

2022-08-03 (about 6 months ago)

Last Updated

2022-08-03 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin