CVE-2022-2431
Published: 06 September 2022
Summary
CVE-2022-2431 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in W3Eden Download Manager. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 3.2.50. The flaw stems from insufficient file type and path validation in the deleteFiles() function within the Admin/Menu/Packages.php file, which is invoked when a download post is deleted. This issue is tracked under CWE-73 and CWE-610 and carries a CVSS 3.1 score of 8.1.
Contributor-level users and higher can exploit the vulnerability by supplying an arbitrary file path through the 'file[files]' parameter when creating a download post. Upon subsequent deletion of that post, the attacker-chosen file is removed from the server. In practice this can be leveraged to delete wp-config.php, resetting the WordPress installation and enabling remote code execution.
Public advisories and the plugin's changelog indicate that the issue was resolved in a subsequent release; the referenced Wordfence analysis and WordPress Trac changeset document the corrective code change that strengthens path validation. The EPSS score has remained flat at 0.1714 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34692
Vulnerability details
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers…
more
upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.