{"api_version":"1","generated_at":"2026-05-06T07:32:48+00:00","cve":"CVE-2022-2101","urls":{"html":"https://cve.report/CVE-2022-2101","api":"https://cve.report/api/cve/CVE-2022-2101.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2101","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2101"},"summary":{"title":"Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting","description":"The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page that will execute whenever an administrator accesses the editor area for the injected file page.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2022-07-18 17:15:08","updated_at":"2026-04-08 19:17:50"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","data":{"baseScore":6.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://medium.com/%40andreabocchetti88/download-manager-3-2-43-contributor-cross-site-scripting-fa4970fba45c","name":"https://medium.com/%40andreabocchetti88/download-manager-3-2-43-contributor-cross-site-scripting-fa4970fba45c","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"Download Manager <= 3.2.43 — Contributor+ Cross-Site Scripting Download Manager Cross-Site Scripting I want to communicate this vulnerability discovered via upload file (authenticated). When you add… - Andrea Bocchetti - Medium","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2750339%40download-manager&new=2750339%40download-manager&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2750339%40download-manager&new=2750339%40download-manager&sfp_email=&sfph_mail=","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Release Notes","Third Party Advisory"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://packetstormsecurity.com/files/167573/","name":"https://packetstormsecurity.com/files/167573/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WordPress Download Manager 3.2.43 Cross Site Scripting ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2101","name":"https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2101","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Vulnerability Advisories - Wordfence","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b399929a-db33-419f-9218-b86ee88a9f1a?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b399929a-db33-419f-9218-b86ee88a9f1a?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2101","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2101","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"codename065","product":"Download Manager","version":"affected 3.2.46 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2022-06-21T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"andrea bocchetti","lang":"en"}],"nvd_cpes":[{"cve_year":"2022","cve_id":"2101","vulnerable":"1","versionEndIncluding":"3.2.46","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"w3eden","cpe5":"download_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2022","cve_id":"2101","cve":"CVE-2022-2101","epss":"0.003130000","percentile":"0.544160000","score_date":"2026-04-08","updated_at":"2026-04-09 00:05:10"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-03T00:24:44.260Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b399929a-db33-419f-9218-b86ee88a9f1a?source=cve"},{"tags":["x_transferred"],"url":"https://packetstormsecurity.com/files/167573/"},{"tags":["x_transferred"],"url":"https://medium.com/%40andreabocchetti88/download-manager-3-2-43-contributor-cross-site-scripting-fa4970fba45c"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2750339%40download-manager&new=2750339%40download-manager&sfp_email=&sfph_mail="},{"tags":["x_transferred"],"url":"https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2101"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Download Manager","vendor":"codename065","versions":[{"lessThanOrEqual":"3.2.46","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"andrea bocchetti"}],"descriptions":[{"lang":"en","value":"The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page that will execute whenever an administrator accesses the editor area for the injected file page."}],"metrics":[{"cvssV3_1":{"baseScore":6.4,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:16:41.019Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b399929a-db33-419f-9218-b86ee88a9f1a?source=cve"},{"url":"https://packetstormsecurity.com/files/167573/"},{"url":"https://medium.com/%40andreabocchetti88/download-manager-3-2-43-contributor-cross-site-scripting-fa4970fba45c"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2750339%40download-manager&new=2750339%40download-manager&sfp_email=&sfph_mail="},{"url":"https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2101"}],"timeline":[{"lang":"en","time":"2022-06-21T00:00:00.000Z","value":"Disclosed"}],"title":"Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2022-2101","datePublished":"2022-07-18T16:13:21.000Z","dateReserved":"2022-06-16T00:00:00.000Z","dateUpdated":"2026-04-08T17:16:41.019Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2022-07-18 17:15:08","lastModifiedDate":"2026-04-08 19:17:50","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:w3eden:download_manager:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"3.2.46","matchCriteriaId":"0F447264-0078-4E18-B480-1B6FCC1E164A"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"2101","Ordinal":"1","Title":"Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting","CVE":"CVE-2022-2101","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"2101","Ordinal":"1","NoteData":"The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page that will execute whenever an administrator accesses the editor area for the injected file page.","Type":"Description","Title":"Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting"}]}}}