Download Monitor < 4.5.98 – Admin+ Arbitrary File Download | CVE 2022-2981 | Plugin Vulnerabilities

Description

The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Proof of Concept

Create a new download on:
https://target-site/wp-admin/post-new.php?post_type=dlm_download

Add the following payload to the "File URL(s); note: only enter multiple URLs in here if you want to use file mirrors" field when creating a new Download:
php://filter/convert.base64-encode/resource=/var/www/vhosts/developerspace.de/httpdocs/blog/wp-config.php

Navigate to the newly created download page.

Affects Plugins

download-monitor

Fixed in 4.5.98

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

30ce32ce-161c-4388-8d22-751350b7b305

Timeline

Publicly Published

2022-09-19 (about 3 years ago)

Added

2022-09-19 (about 3 years ago)

Last Updated

2022-09-19 (about 3 years ago)

Other

Published

Title

Published

2024-10-10

Title

Contact Form by Bit Form< 2.15.3 - Admin+ Arbitrary File Read

Published

2022-04-05

Title

Download Monitor < 4.5.91 - Admin+ Arbitrary File Download

Published

2025-02-27

Title

wpForo Forum < 2.4.2 - Subscriber+ Arbitrary File Read

Published

2024-09-10

Title

EKC Tournament Manager < 2.2.2 - Admin+ Arbitrary File Download

Published

2022-10-17

Title

WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi