WordPress Plugin Vulnerabilities

Download Manager < 3.2.50 - Contributor+ PHAR Deserialization

Description

The plugin does not validate a parameter, which could allow users with a role as low as contributor to perform PHAR deserialisation when a suitable gadget chain is also present

Affects Plugins

download-manager

Fixed in version 3.2.50

References

CVE

CVE-2022-2436

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Original Researcher

Rasoul Jahanshahi

Verified

Yes

WPVDB ID

493a4626-71f0-4cfc-b1d9-74ca8130045e

Timeline

Publicly Published

2022-08-17 (about 5 months ago)

Added

2022-08-18 (about 5 months ago)

Last Updated

2022-08-18 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin