CVE-2022-2926

Published Sep 26, 2022

Last updated 6 months ago

CVSS medium 4.9

Overview

Description: The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory
Source: contact@wpscan.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.9
Impact score: 3.6
Exploitability score: 1.2
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

contact@wpscan.com: CWE-22

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:adobe:download_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5A611139-199C-42CB-9928-BA3CDDDBB92A",
            "versionEndExcluding": "3.2.55"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.