Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
CVE-2022-2981

4.9MEDIUM

Key Information:

Vendor: Wordpress
Status: Download Monitor
Vendor: CVE Published:; 10 October 2022

Summary

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Affected Version(s)

Download Monitor 4.5.98

References

https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2022
Vulnerability Reserved
Aug 24, 2022

Credit

Raad Haddad of Cloudyrion GmbH