CVE-2022-2101 : The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scr

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page that will execute whenever an administrator accesses the editor area for the injected file page.

Published 2022-07-18 17:15:09

Updated 2025-03-21 16:07:09

Source Wordfence

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-2101

W3eden » Download Manager » For Wordpress
Versions up to, including, (<=) 3.2.46
cpe:2.3:a:w3eden:download_manager:*:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-2101

EPSS FAQ

0.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 54 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-2101

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	3.1	2.7	Wordfence
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: None

References for CVE-2022-2101

https://www.wordfence.com/threat-intel/vulnerabilities/id/b399929a-db33-419f-9218-b86ee88a9f1a?source=cve

Download Manager <= 3.2.46 - Contributor+ Cross-Site Scripting
https://packetstormsecurity.com/files/167573/

WordPress Download Manager 3.2.43 Cross Site Scripting ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://medium.com/%40andreabocchetti88/download-manager-3-2-43-contributor-cross-site-scripting-fa4970fba45c

Download Manager <= 3.2.43 — Contributor+ Cross-Site Scripting Download Manager Cross-Site Scripting I want to communicate this vulnerability discovered via upload file (authenticated). When you add…
Exploit;Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2750339%40download-manager&new=2750339%40download-manager&sfp_email=&sfph_mail=

Changeset 2750339 for download-manager – WordPress Plugin Repository
Patch;Release Notes;Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2101

Vulnerability Advisories - Wordfence
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-2101

Products affected by CVE-2022-2101

Exploit prediction scoring system (EPSS) score for CVE-2022-2101

CVSS scores for CVE-2022-2101

References for CVE-2022-2101