CVE-2022-2431 — External Control of File Name or Path in Download Manager

CWE-73 — External Control of File Name or Path CWE-610 — Externally Controlled Reference to a Resource in Another Sphere CWE-20 — Improper Input Validation4 documents4 sources

Severity

8.8HIGHNVD

CNA8.1

EPSS

17.1%

top 4.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Download-manager Download Manager W3eden Download Manager

Timeline

PublishedSep 6

Latest updateSep 7

Description

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the suppli…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDw3eden/download_manager3.2.50

▶CVEListV5download-manager/download_manager3.2.50 — 3.2.50

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-3hhq-xm5h-wcvh: The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3↗2022-09-07

▶

CVEList

Download Manager <= 3.2.50 - Authenticated (Contributor+) Arbitrary File Deletion↗2022-09-06

▶