CVE-2022-2431

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to, and including 3.2.50

Description The issue arises from insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file. This function is triggered upon download post deletion, allowing contributor level users and above to supply an arbitrary file path via the file[files] parameter when creating a download post. Once the user deletes the post, the supplied arbitrary file will be deleted. This can be exploited to delete critical files, such as the /wp-config.php file, potentially leading to remote code execution on the server.

Recommendations For Download Manager plugin for WordPress versions up to, and including 3.2.50, update to a version higher than 3.2.50 to resolve the issue. As a temporary workaround, consider restricting access to the deleteFiles() function or limiting the ability to create and delete download posts to higher-level users until a patch is available. Additionally, restrict the use of the file[files] parameter in the affected API endpoint to minimize the risk of exploitation.