CVE-2022-2101

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to, and including, 3.2.46

Description The issue is related to Stored Cross-Site Scripting via the file[files][] parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page, which will execute whenever an administrator accesses the editor area for the injected file page.

Recommendations For versions up to, and including, 3.2.46, update to a version higher than 3.2.46 to resolve the issue. As a temporary workaround, consider restricting access to the file[files][] parameter to minimize the risk of exploitation. Additionally, limiting contributor level permissions may also help mitigate the risk until a patch is applied.