CVE-2022-2222

MEDIUM

WordPress Download Monitor <4.5.91 - Info Disclosure

Title source: llm
STIX 2.1

Description

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b

Scores

CVSS v3 4.9
EPSS 0.0090
EPSS Percentile 54.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-552
Status published
Products (1)
wpchill/download_monitor < 4.5.91
Published Jul 17, 2022
Tracked Since Feb 18, 2026