CVE-2022-2431
HIGHDownload Manager <= 3.2.50 - Arbitrary File Deletion via 'file[files]' Parameter
Title source: llmDescription
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2762092%40download-manager&new=2762092%40download-manager&sfp_email=&sfph_mail=
Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/167920/wpdownloadmanager3250-filedelete.txt
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/
Scores
CVSS v3
8.1
EPSS
0.0245
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-610
CWE-73
Status
published
Products (1)
w3eden/download_manager
< 3.2.50
Published
Sep 06, 2022
Tracked Since
Feb 18, 2026