// For flags

CVE-2022-2431

Download Manager <= 3.2.50 - Authenticated (Contributor+) Arbitrary File Deletion

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.

El plugin Download Manager para WordPress es vulnerable a la eliminación arbitraria de archivos en versiones hasta 3.2.50 incluyéndola. Esto es debido a la insuficiente comprobación del tipo de archivo y de la ruta en la función deleteFiles() que es encontrado en el archivo ~/Admin/Menu/Packages.php y que es desencadenado cuando es eliminado una entrada de descarga. Esto hace posible que los usuarios de nivel de colaborador y superior suministren una ruta de archivo arbitraria por medio del parámetro "file[files]" cuando es creado una entrada de descarga y, una vez que el usuario elimina la entrada, el archivo arbitrario suministrado será eliminado. Esto puede ser usado por atacantes para eliminar el archivo /wp-config.php que restablecerá la instalación y hará posible que un atacante logre una ejecución de código remota en el servidor.

WordPress Download Manager plugin versions 3.2.50 and below suffer from an arbitrary file deletion vulnerability.

*Credits: Chloe Chamberland, Wordfence
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-07-27 CVE Published
  • 2024-06-25 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-73: External Control of File Name or Path
  • CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wpdownloadmanager
Search vendor "Wpdownloadmanager"
Wordpress Download Manager
Search vendor "Wpdownloadmanager" for product "Wordpress Download Manager"
<= 3.2.50
Search vendor "Wpdownloadmanager" for product "Wordpress Download Manager" and version " <= 3.2.50"
wordpress
Affected