WordPress Plugin Vulnerabilities

Download Manager < 3.2.50 - Contributor+ PHAR Deserialization

Description

The plugin does not validate a parameter, which could allow users with a role as low as contributor to perform PHAR deserialisation when a suitable gadget chain is also present

Affects Plugins

Plugin icon
download-manager
Fixed in 3.2.50

References

CVE
CVE-2022-2436

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
Yes
WPVDB ID
493a4626-71f0-4cfc-b1d9-74ca8130045e

Timeline

Publicly Published
2022-08-17 (about 3 years ago)
Added
2022-08-18 (about 3 years ago)
Last Updated
2023-05-10 (about 2 years ago)

Other

Published
Title
Published
2024-10-09
Title
Telecash Ricaricaweb <= 2.2 - Unauthenticated PHP Object Injection
Published
2025-04-17
Title
FluentBoards < 1.48 - Unauthenticated PHP Object Injection
Published
2021-11-15
Title
ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection
Published
2024-01-05
Title
Taggbox < 3.2 - Unauthenticated PHP Object Injection
Published
2025-09-01
Title
Constant Contact for WordPress <= 4.1.1 - Unauthenticated PHP Object Injection