CVE-2022-2981

Published: Oct 10, 2022Modified: Nov 21, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

Affected (1)

Products: Wpchill: Download Monitor

1 product

Download Monitor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpchill Download Monitor	Before 4.5.98

Related CWEs

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (2)

https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.