WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal

Description

The plugin does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory

Proof of Concept

1. Navigate to settings page (/wp-admin/edit.php?post_type=wpdmpro&page=settings)
2. In the “File Browser Root:” setting, put /tmp (v < 3.2.54) or ../../ (v <= 3.2.54)
3. Then navigate to the Asset manager (/wp-admin/edit.php?post_type=wpdmpro&page=wpdm-asset-manager)
4. You will be able to list the files/folders outside of WordPress root directory

Affects Plugins

download-manager
Fixed in version 3.2.55

References

CVE
CVE-2022-2926

Classification

Type

TRAVERSAL

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
2a440e1a-a7e4-4106-839a-d93895e16785

Timeline

Publicly Published

2022-09-05 (about 4 months ago)

Added

2022-09-05 (about 4 months ago)

Last Updated

2022-09-05 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin