WordPress Plugin Vulnerabilities

Download Monitor < 4.5.91 - Admin+ Arbitrary File Download

Description

The plugin does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Proof of Concept

Create a new download, add a file and put the following payload in the File URLs: /var/www/html/wp-config.php or /etc/passwd

Publish the download and download the file

Affects Plugins

download-monitor

Fixed in version 4.5.91

References

CVE

CVE-2022-2222

Classification

Type

FILE DOWNLOAD

OWASP top 10

A1: Injection

CWE

CWE-552

Miscellaneous

Original Researcher

Thiago Martins, Jorge Buzeti, Leandro Inacio, Lucas de Souza, Matheus Oliveira, Filipe Baptistella, Leonardo Paiva, Jose Thomaz, Joao Maciel, Vinicius Pereira, Geovanni Campos, Hudson Nowak, Guilherme Acerbi

Verified

Yes

WPVDB ID

dd48624a-1781-419c-a3c4-1e3eaf5e2c1b

Timeline

Publicly Published

2022-04-05 (about 11 months ago)

Added

2022-06-27 (about 9 months ago)

Last Updated

2022-06-27 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin