Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
CVE-2022-2222

4.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Download Monitor
Vendor: CVE Published:; 17 July 2022

Summary

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Affected Version(s)

Download Monitor 4.5.91

References

https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-...

x_refsource_MISC

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 17, 2022
Vulnerability Reserved
Jun 27, 2022

Credit

Thiago Martins

Jorge Buzeti

Leandro Inacio

Lucas de Souza

Matheus Oliveira

Filipe Baptistella

Leonardo Paiva

Jose Thomaz

Joao Maciel

Vinicius Pereira

Geovanni Campos

Hudson Nowak

Guilherme Acerbi