CVE-2022-2222
Summary
| CVE | CVE-2022-2222 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-07-17 11:15:00 UTC |
| Updated | 2022-07-18 13:51:00 UTC |
| Description | The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. |
Risk And Classification
Problem Types: CWE-552
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Wpchill | Download Monitor | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Download Monitor < 4.5.91 - Admin+ Arbitrary File Download WordPress Security Vulnerability | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thiago Martins
LEGACY: Jorge Buzeti
LEGACY: Leandro Inacio
LEGACY: Lucas de Souza
LEGACY: Matheus Oliveira
LEGACY: Filipe Baptistella
LEGACY: Leonardo Paiva
LEGACY: Jose Thomaz
LEGACY: Joao Maciel
LEGACY: Vinicius Pereira
LEGACY: Geovanni Campos
LEGACY: Hudson Nowak
LEGACY: Guilherme Acerbi
There are currently no legacy QID mappings associated with this CVE.