CVE-2022-2436

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to and including 3.2.49

Description The issue allows authenticated attackers with contributor privileges and above to deserialize untrusted input via the file[package dir] parameter. This can lead to the execution of arbitrary PHP objects, enabling various malicious actions if a POP chain is present. The attack requires the successful upload of a file containing a serialized payload.

Recommendations For Download Manager plugin for WordPress versions up to and including 3.2.49, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the file[package dir] parameter to minimize the risk of exploitation. Avoid using the file[package dir] parameter in the affected plugin until the issue is resolved.